-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
The Libreswan Project has released libreswan-3.22 This is a performance enhancement and feature release. Performance improvements: After investigating performance under high load, we found a number of issues that slowed down performance. This resulted in some state machine code updates related to IKE retransmits, logging improvements, less phtread locking, and hash table improvements. These performance fixes resulted in libreswan handling 4x more connections then previous versions. New Features: This release features Opportunistic IPsec support using the unbound DNS ipsecmod module. This allows the DNS server to perform IPSECKEY lookups while it performs A/AAAA lookups and trigger Opportunistic IPsec before the DNS client receives an answer from the DNS server. Socket handling was updated to handle EAGAIN errors better and options for the socket buffer sizes and whether or not to process the socket error queue were added (see 'man ipsec.conf' and 'man pluto'). A client vanishing on a busy server could also cause an unrelated DH calculation to be aborted. Initial support for RFC 7427 Digital Signature has been added, and in the next few releases we expect to increase the number of supported algorithms and signature formats. Support for GMAC via esp=null_auth_aes_gcm was added for 3GPP. IKE UDP holes for IPv6 no longer need a separate v6neighbor-hole.conf and pluto now handles these internally. Important bugfxies: A number of memory leaks were found and fixed, most notable in the IKEv2 fragmentation code. The XAUTH retransmit logic was fixed, and XAUTH without ModeCFG was fixed. The previous version mistakenly rejected preloaded certificates that were not authenticated using a CA certificate. You can download libreswan via https at: https: //download.libreswan.org/libreswan-3.22.tar.gz https: //download.libreswan.org/libreswan-3.22.tar.gz.asc The full changelog is available at: https: //download.libreswan.org/CHANGES Please report bugs either via one of the mailinglists or at our bug tracker: https: //lists.libreswan.org/ https: //bugs.libreswan.org/ Binary packages for RHEL/EPEL and Debian/Ubuntu can be found at https: //download.libreswan.org/binaries/ Binary packages for Fedora and Debian should be available in their respective repositories a few days after this release. See also https://libreswan.org/ v3.22 (October 22, 2017) * IKEv2: EXPERIMENTAL: unbound DNS server ipsecmod support [Opportunistic IPsec] * IKEv2: Initial support for RFC 7427 Digital Signature [Sahana Prasad/GSoC] * IKEv2: Do not include INTEG=NONE in AEAD IKE proposals [Andrew] * IKEv2: Accept both ESP=AEAD+NONE and ESP=AEAD in proposals [Andrew] (See also: https://www.rfc-editor.org/errata/eid5109) * IKEV2: Fix interop with old pluto that rejected esp=aead+none [Andrew] * IKEv2: Add support for GMAC via esp=null_auth_aes_gcm [Andrew] * IKEv2: Fragmentation code cleanup and memory leak fixes [Andrew] * IKEv1: Fix XAUTH retransmits and packet storage [Antony] * IKEv1: Perform custom state change for XAUTH without ModeCFG [Paul] * IKEv1: Add support for nat-ikev1-method=none [Paul] * IKEv1: XAUTH password length wasn't consistent at 128 [Stepan Broz] * pluto: Natively install ICMPv6 neighbour discovery holes [Mayank Totale/GSoC] * pluto: Fixup XAUTH/PAM thread cancelation handling [Andrew/Antony] * pluto: Change default rundir from /var/run/pluto to /run/pluto [Paul] * pluto: Various ike_alg parsing updates [Andrew] * pluto: Various cleanups in addresspool and XAUTH code [Hugh] * pluto: Fix missing ntohl() on the SPI numbers in ipsec status [Paul] * pluto: Various memory leak fixes [Antony,Paul,Hugh] * pluto: Make ioctl(SIOCGIFFLAGS) failure for labeled devices non-fatal [Paul] * pluto: Give IKE traffic preference via SO_PRIO [Paul] * pluto: New setup options: ike-socket-errqueue= , ike-socket-bufsiza=e [Paul] * pluto: Improve whack --listevents with libevent [Antony] * pluto: Fixup NIC offload support [Antony, Hugh] * pluto: Track and try the number of EAGAIN errors on IKE socket [Hugh/Paul] * pluto: Prevent spurious initiating states on responder-only conn [Antony] * pluto: don't call sanitize_string() in fmt_log() as it is expensive [Paul] * pluto: No longer need to specify null for AEAD, can use esp=aes_gcm [Andrew] * pluto: Increase default nhelpers for 1 CPU (2) and 2 CPUs (4) [Paul] * pluto: New option logip= (default yes) to disable log of incoming IPs [Paul] * pluto: signal handling cleanup [Andrew/Hugh] * pluto: Don't try to retransmit unsent packet [Paul/Hugh] * pluto: state hashing improvements [Andrew] * pluto: Fix erranious connecting switching (bug in v3.21) [Paul] * pluto: when deleting parent, don't deschedule DH for wrong child [Andrew] * pluto: dpdaction=restart fixup when using %any [Antony] * pluto: Don't die on labeled interfaces without SIOCGIFFLAGS support [Paul] * addconn: left=%defaultroute would fail if >500 host routes [Kim] * showhotkey/rsasigkey: Fixup mismatch of public key display [Andrew] * FIPS: Some selftests did not run properly under FIPS mode [Andrew] * KLIPS: Removed old premade patches, use make targets instead [paul] * updown Don't remove source ip if it's still used (rhbz#1492501) [Tuomo] * updown: Allow disabling via leftupdown="" or leftupdown="%disabled" [Paul] * updown: SPI numbers were missing ntohl() conversion [Paul] * various: phase out --ctlbase for --ctlsocket and --rundir [Paul] * libipsecconf: reject unavailable kernel algorithms in parser [Andrew] * libswan/pluto: throw a clearer error for broken libunbound [Paul] * libswan/pluto: Cleanup logging and tighten logging lock [Andrew] * libswan/pluto: Greatly optimize logging code [Andrew] * libswan/pluto: Some logging algorithm renames for more consistency [Andrew] * building: remove -fexceptions; breaks pthread_cleanup_push [Andrew] * packaging: Update debian/ and move to packaging/debian [Antony] * packaging: Update fedora/rhel spec files [Tuomo] * testing: --impair-foo changed to --impair foo [Andrew] * testing: Some new impair options for testing [Andrew,Sahana,Paul] * testing: Allow null encryption with null auth for testing [Andrew] * Bugtracker bugs fixed: #294: Bug in public key reported by rsasigkey [Tijs Van Buggenhout/Andrew] #299: Fix overlapping addresspool and static lease from passwd file [Antony] #300: Fix bug in v3.21 that rejected hardcodes certs without a CA [Paul] #302: IKEv1-only and IKEv2-only must not share IKE SA [Paul] #303: xauth password length limited to 64 bytes [Stepan Broz] -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZ9XCKAAoJEIX/S0OzD8b5zosP/2tL4bPkd9+tkFiiz97qTi8S tm0oCN1xW32RvYinJvsb6XwOyB4RCgY1YvIEVBEMleZLapX9i8jzuKgJA2GWVxoJ 6ZQt9UGu+lZbff/sidbKv9jiFAn9cgHEKF3kIZPkm8t1j7eclpVyDc13NlnFR3/s AaN7NfNR9Zuk6Q7PtB0pADZD6LhPUKanMhx6BfUFWNQqwt4gWWzwJbCQ8tZS347e 6EiOSlAT6B6cUsFlV0xPOT+0EMmmjxh7aJVirPX2npgyiyj3YJuKNr7v2mkoIGAM 5GnO7Q6lgDlKo9qCWYVFwQEA3X1t8xEkoO2BSvcq/hNDD/2VOitf+PONioWQ/iZR sPEWkYGFnF41Rt4g+OFo1Mjwng8fcL+8YhEqtY8Bg/E+0OJKd+WuqpRlh8ZXW+Qo rBn3n+QSRqNGxqhCK6pw2Q0k/upp11UqEv6jvYDhwdmvtaXdqgW903DjHyD5K2Ln hQgD3j7g2tvbg/wG7mZYLckhXw//8xXkH6x+DS83lxJrtNtnCa0X2OvP97GTws7t K8dVEnxUl8aWr/TKNOSrdxoqAf/DS32YpAcAux9Uy+kklvt4fw+N/McEIh19FKDb ad1ALvFPDhDuZZV/tLASyedC2ldrLm5VUZJgpS58WfYM11aqSGSy8iFpVQ21bhMz W9DstRQGt4jYEijwMQTu =kn+T -----END PGP SIGNATURE----- _______________________________________________ Swan-announce mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-announce _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
