Re: [Swan-dev] [cryptography] Announcing Mozilla::PKIX, a New Certificate Verification Library (fwd)

On Thu, Apr 10, 2014 at 10:40:40AM -0400, Lennart Sorensen wrote: On Mon, Apr 07, 2014 at 07:22:51PM -0400, Paul Wouters wrote: wonder if we can use this instead of the legacy x509 code I would prefer avoiding having to maintain yet another crypto library. Needing openssl and gnutls26

Re: [Swan-dev] nss updates, addcon bug #86 and libreswan 3.9 release

On 05/28, Wolfgang Nothdurft wrote: Hi Matt, I've tested the nss_updates branch and it works good. I have updated your changes to the actual master branch if needed. The only problem is, if you renew a certificate, libreswan holds the old one. The problem seems the missing

[Swan-dev] IKEv2 rekey saga

Here's what I have so far. With the event replacement changes in the patch, ipsecdoi_replace initiates and sends a new Parent SA when the old one expires. The rekeymargin options also don't seem to work with IKEv2 (since it's not negotiated?) so I needed a hack to delay the delete event otherwise

[Swan-dev] Storing of cert chains

I'm using the spd end structures 'this' and 'that' (ie c-spd.that.ca_path) to store the chain of CA certs. The 'this' end is loaded with the local cert path of the end certificate on a connection add, and the 'that' end is a list of CA certs received from the peer (which are all validated as a

[Swan-dev] CA chains / Bug 182

Hey all, I pushed the branch for this so I can start getting some eyes on it. Test cases are on the way. A summary of the changes: - Added load_end_ca_path() to load the available intermediate CA certs into the connection - Added the connection option sendca=none|issuer|all. This is a very

Re: [Swan-dev] naming v2 states

I like the suggested set at the bottom there. I think avoiding calling the resulting states a CHILD and instead calling them IKE or IPSEC is a good idea. I also like the idea of incorporating the intended SA type in the CHILD exchange's state names. Matt

Re: [Swan-dev] VID and IKE v2

On October 3, 2014 7:25:17 PM EDT, Paul Wouters p...@nohats.ca wrote: On Fri, 3 Oct 2014, D. Hugh Redelmeier wrote: fragmentation will be done differently in ikev2 unfortunately, using: https://tools.ietf.org/html/draft-ietf-ipsecme-ikev2-fragmentation-10 Although nothing stops us from adding

Re: [Swan-dev] a different git branching model for Libreswan

On 10/29, D. Hugh Redelmeier wrote: My suggested solution: release/freeze branches == We should never freeze master. When we want a freeze for a release, create a release branch. Work continues on master. If something should be in the

Re: [Swan-dev] OCSP timeline ?

On 10/29, jone...@teksavvy.com wrote: Hello, Is there a timeline for the integration of an OCSP feature in Libreswan ? What would be a reasonable timeframe ? Thanks ! No real timeline to share, but it's being worked on. The current x509 code is changing significantly in order to have

Re: [Swan-dev] a different git branching model for Libreswan

On 10/30, Paul Wouters wrote: http://nvie.com/posts/a-successful-git-branching-model/ In this one, master is sacred and seems to only include final releases. This is the model (and in fact the actual web page describing it) that we were trying to deploy. What I like about it is that most of

Re: [Swan-dev] shared IKE SA interop bug with cisco

On 12/04, Antony Antony wrote: can you commit test as a wip? I am curious to see what is going on. I need the same for IKEv2 and CREATE_CHILD_SA. Take a look at the conn_shared_ike branch that I pushed, it has a test and continuation of the patch. I was focusing on the IKEv1 side of this so

Re: [Swan-dev] generating x509 certificates

On 02/03, Andrew Cagney wrote: Hi, I've hit a few problems when trying to run the tests that require certificates. The main one is that the script dist_certs fails as openssl (Fedora release 20 (Heisenbug) at least) doesn't like generating the bad certificate: The organizationName field

Re: [Swan-dev] notes from meeting nss guys

On 02/24, Antony Antony wrote: Hi, Yesterday Paul and I met with NSS guys and here are some notes from the meeting. Thanks for the notes! I'm bummed I missed it considering I have been working on the x509 NSS re-write recently. NSPR threading: no need to use NSPR threading on Linux,

Re: [Swan-dev] pluto: Fix NSS certificate crash

On 04/30, Herbert Xu wrote: When we instantiate a connection we simply copy the certificate over, without getting a reference count over the new certificate reference, resulting in a bogus certificate when the instance is deleted. Signed-off-by: Herbert Xu herb...@gondor.apana.org.au

Re: [Swan-dev] pluto: Fix bogus no RSA public key known for '%fromcert'

On 05/01, Herbert Xu wrote: When refine_host_connection tests against a %fromcert RW connection followed by other right=%any connections with fixed IDs (e.g., @hostname), it will lose the fromcert setting. So when it does eventually return with the %fromcert RW connection fromcert will be

Re: [Swan-dev] time to delete old dist_certs shell script (attempt #2)?

On June 24, 2015 11:34:53 AM EDT, D. Hugh Redelmeier h...@mimosa.com wrote: | From: Andrew Cagney andrew.cag...@gmail.com | This doesn't seem like a reason for retaining the old shell scripts - | they are so far behind that they don't even generate all the required | keys. BTW, best place to

[Swan-dev] Including ipsec ca

I've pushed a branch called ipsec_ca with the WIP python code that makes up the 'ipsec ca' command. Right now it's not install-able to be used with the ipsec wrapper, so if you want to test it out, you can run _ipsec_ca under the programs/_ipsec_ca/ directory. 'ipsec ca' is a tool for users that

Re: [Swan-dev] Generate test certificates iff missing

- Original Message - > From: "Andrew Cagney" > To: "Libreswan Development List" > Sent: Thursday, October 22, 2015 10:32:12 AM > Subject: [Swan-dev] Generate test certificates iff missing > > I'd like to change

Re: [Swan-dev] crash introduced in c2ea0911 while replacing IKEv1 ISKAMP SA

On Wed, 2016-11-02 at 20:32 +0200, Tuomo Soini wrote: > On Sat, 29 Oct 2016 19:10:18 +0200 > Antony Antony wrote: > > > > > c2ea0911 introduced a crasher for IKEv1. When pluto replace IKE SA > > and delete itself. > > > > #0  0x5610ca3c34b7 in free_generalNames (gn=0xe,

Re: [Swan-dev] error message when not running?

On Mon, Mar 20, 2017 at 12:20 PM, Paul Wouters wrote: > > I received this bug report, which I kind of agree with. But I'd like to > hear from others. > > Paul > I agree as well, it's redundant. Regards, Matt ___ Swan-dev mailing list