I've merged in the x509-san branch and also reran all tests against an updated strongswan-5.5.2 (needed for AH testing/fixes)
There was some regression in the tests due to regression in strongswan. I've fixed the configs to work around some changes in their defaults options. One odd feature is that curve25519 is now their default DH group, so all tests require another roundtrip because it started with the wrong KE size payload. Even odder, they do the same for IKEv1, which causes them to send some IKE exchanges with an empty list of proposals, which we loudly complain about and refuse. It now shows some AH tests failing which is because I'm working on the update for libreswan to support proper AH alignment that strongswan now enforces. This will also require kernel 2.6.39 or higher, but I do think we all have that already running in our guests. You can grab the strongswan src of fedora22 rpm here: https://download.nohats.ca/strongswan/strongswan-5.5.2-1.fc27.src.rpm https://download.nohats.ca/strongswan/strongswan-5.5.2-1.fc22.x86_64.rpm The SubjectAltName tests required generating the certs differently. All certs now have a unique E= entry (instead of [email protected]) so we can test that we are properly ignoring that entry (we should only match USER_FQDN on subjectaltnames). All test cases have been updated for this, but be sure to rerun testing/x509/dist_certs.py or "make kvm-keys" so your certificate output matches the new good output. Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
