On Fri, 25 Sep 2015, Tomas France wrote:
OK, I understand. We are talking about 20+ servers that would need a full reinstallation by the way... Done by myself...
That's not too bad :)
It seems I have been able to compile OpenSwan 2.6.45 on the CentOS 5 (test) server though, although with some nasty makefile modifications.
Obviously I am biased, but I would not use openswan. They haven't properly fixed some of the earlier CVE's (the ID one) and their code hasn't seen the amount of FIPS and Common Criteria testing that libreswan went through. Also, if you compiled without NSS, that setup is also vulnerable private RSA key leak as described at: https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
I'd really prefer Libreswan as it works really well on one of our CentOS 6 servers already (well, too early to say really but so far so good). Also, if someone would consider modifying the patch from 3.14 to 3.13, I'd be willing to send a small donation for that :)
I think it would be more useful to see about pulling in nss from centos6 and going with the latest libreswan. The 3.15-3 build that will go into RHEL6 extras and RHEL-7.1.z probably has all the fixes for the flex/bison issues you reported. The pre-release of 3.15-3 can be found at ftp://ftp.nohats.ca/rhel6/ Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
