On Thu, Apr 10, 2014 at 10:40:40AM -0400, Lennart Sorensen wrote:
On Mon, Apr 07, 2014 at 07:22:51PM -0400, Paul Wouters wrote:
wonder if we can use this instead of the legacy x509 code
I would prefer avoiding having to maintain yet another crypto library.
Needing openssl and gnutls26
On 05/28, Wolfgang Nothdurft wrote:
Hi Matt,
I've tested the nss_updates branch and it works good.
I have updated your changes to the actual master branch if needed.
The only problem is, if you renew a certificate, libreswan holds the
old one.
The problem seems the missing
Here's what I have so far. With the event replacement changes in the patch,
ipsecdoi_replace initiates and sends a new Parent SA when the old one expires.
The rekeymargin options also don't seem to work with IKEv2 (since it's not
negotiated?) so I needed a hack to delay the delete event otherwise
I'm using the spd end structures 'this' and 'that' (ie
c-spd.that.ca_path) to store the chain of CA certs. The 'this' end is
loaded with the local cert path of the end certificate on a connection
add, and the 'that' end is a list of CA certs received from the peer
(which are all validated as a
Hey all,
I pushed the branch for this so I can start getting some eyes on it. Test cases
are on the way. A summary of the changes:
- Added load_end_ca_path() to load the available intermediate CA certs into the
connection
- Added the connection option sendca=none|issuer|all. This is a very
I like the suggested set at the bottom there. I think avoiding calling the
resulting states a CHILD and instead calling them IKE or IPSEC is a good idea.
I also like the idea of incorporating the intended SA type in the CHILD
exchange's state names.
Matt
On October 3, 2014 7:25:17 PM EDT, Paul Wouters p...@nohats.ca wrote:
On Fri, 3 Oct 2014, D. Hugh Redelmeier wrote:
fragmentation will be done differently in ikev2 unfortunately, using:
https://tools.ietf.org/html/draft-ietf-ipsecme-ikev2-fragmentation-10
Although nothing stops us from adding
On 10/29, D. Hugh Redelmeier wrote:
My suggested solution: release/freeze branches
==
We should never freeze master.
When we want a freeze for a release, create a release branch.
Work continues on master.
If something should be in the
On 10/29, jone...@teksavvy.com wrote:
Hello,
Is there a timeline for the integration of an OCSP feature in
Libreswan ? What would be a reasonable timeframe ?
Thanks !
No real timeline to share, but it's being worked on. The current x509 code is
changing significantly in order to have
On 10/30, Paul Wouters wrote:
http://nvie.com/posts/a-successful-git-branching-model/
In this one, master is sacred and seems to only include final
releases.
This is the model (and in fact the actual web page describing it) that
we were trying to deploy. What I like about it is that most of
On 12/04, Antony Antony wrote:
can you commit test as a wip? I am curious to see what is going on. I need
the same for IKEv2 and CREATE_CHILD_SA.
Take a look at the conn_shared_ike branch that I pushed, it has a test and
continuation of the patch. I was focusing on the IKEv1 side of this so
On 02/03, Andrew Cagney wrote:
Hi,
I've hit a few problems when trying to run the tests that require
certificates. The main one is that the script dist_certs fails as
openssl (Fedora release 20 (Heisenbug) at least) doesn't like
generating the bad certificate:
The organizationName field
On 02/24, Antony Antony wrote:
Hi,
Yesterday Paul and I met with NSS guys and here are some notes from the
meeting.
Thanks for the notes! I'm bummed I missed it considering I have been
working on the x509 NSS re-write recently.
NSPR threading: no need to use NSPR threading on Linux,
On 04/30, Herbert Xu wrote:
When we instantiate a connection we simply copy the certificate
over, without getting a reference count over the new certificate
reference, resulting in a bogus certificate when the instance is
deleted.
Signed-off-by: Herbert Xu herb...@gondor.apana.org.au
On 05/01, Herbert Xu wrote:
When refine_host_connection tests against a %fromcert RW connection
followed by other right=%any connections with fixed IDs (e.g.,
@hostname), it will lose the fromcert setting. So when it does
eventually return with the %fromcert RW connection fromcert will
be
On June 24, 2015 11:34:53 AM EDT, D. Hugh Redelmeier h...@mimosa.com wrote:
| From: Andrew Cagney andrew.cag...@gmail.com
| This doesn't seem like a reason for retaining the old shell scripts -
| they are so far behind that they don't even generate all the required
| keys. BTW, best place to
I've pushed a branch called ipsec_ca with the WIP python code that makes up
the 'ipsec ca' command. Right now it's not install-able to be used with
the ipsec wrapper, so if you want to test it out, you can run _ipsec_ca under
the programs/_ipsec_ca/ directory.
'ipsec ca' is a tool for users that
- Original Message -
> From: "Andrew Cagney"
> To: "Libreswan Development List"
> Sent: Thursday, October 22, 2015 10:32:12 AM
> Subject: [Swan-dev] Generate test certificates iff missing
>
> I'd like to change
On Wed, 2016-11-02 at 20:32 +0200, Tuomo Soini wrote:
> On Sat, 29 Oct 2016 19:10:18 +0200
> Antony Antony wrote:
>
> >
> > c2ea0911 introduced a crasher for IKEv1. When pluto replace IKE SA
> > and delete itself.
> >
> > #0 0x5610ca3c34b7 in free_generalNames (gn=0xe,
On Mon, Mar 20, 2017 at 12:20 PM, Paul Wouters wrote:
>
> I received this bug report, which I kind of agree with. But I'd like to
> hear from others.
>
> Paul
>
I agree as well, it's redundant.
Regards,
Matt
___
Swan-dev mailing list
20 matches
Mail list logo