Recompile unbound with libevent support. Sent from my iPhone
> On Aug 10, 2017, at 15:46, Nick Howitt <n...@howitts.co.uk> wrote: > > Hi Paul, > > Libreswan updated last night and now fails to start: > > Aug 10 20:36:49 server addconn: /usr/libexec/ipsec/addconn: symbol lookup > error: /usr/libexec/ipsec/addconn: undefined symbol: ub_ctx_create_event > Aug 10 20:36:49 server systemd: ipsec.service: control process exited, > code=exited status=127 > Aug 10 20:36:49 server systemd: Failed to start Internet Key Exchange (IKE) > Protocol Daemon for IPsec. > Aug 10 20:36:49 server systemd: Unit ipsec.service entered failed state. > Aug 10 20:36:49 server systemd: ipsec.service failed. > > Any clues? > > Regards, > > Nick > >> On 10/08/2017 02:34, The Libreswan Project wrote: >> >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> >> The Libreswan Project has released libreswan-3.21 >> >> This is a bugfix and feature release. >> >> New Features: >> >> This release features Opportunistic IPsec using DNSSEC lookups of >> IPSECKEY records. It also adds support for the DNSSEC root key rollover >> that is currently happening with support for loading new DNSSEC >> trust anchors from disk. If using DNSSECi with libreswan, please >> upgrade to this version before October 10, 2017. >> Support for hardware offloading for certain NIC cards (such as Mellanox) >> was added. PFS support was added to the CREATE_CHILD_SA Exchange. >> >> Important bugfixes: >> >> The ID handling code is now more strict when using certificates. Any >> ID configured via leftid= or rightid= MUST either be the certificate >> DN or be a SubjectAltName (SAN) on the certificate. >> A race condition in the threading code was fixed that could cause pluto >> to crash on loaded systems that use IKEv1 XAUTH or IKEv2 PAM authentication. >> A crasher in FIPS mode when input to hashing algorithms was too weak was >> fixed. >> >> Compatiblity changes: >> >> The above mentioned stricter ID handling can cause existing connections >> to fail if a SubjectAltName is missing from a certificate whose ID is >> specified specified in the connection. >> >> You can download libreswan via https at: >> >> https: //download.libreswan.org/libreswan-3.21.tar.gz >> https: //download.libreswan.org/libreswan-3.21.tar.gz.asc >> >> The full changelog is available at: >> https: //download.libreswan.org/CHANGES >> >> Please report bugs either via one of the mailinglists or at our bug tracker: >> >> https: //lists.libreswan.org/ >> https: //bugs.libreswan.org/ >> >> Binary packages for RHEL/EPEL and Debian/Ubuntu can be found at >> https: //download.libreswan.org/binaries/ >> >> Binary packages for Fedora and Debian should be available in their respective >> repositories a few days after this release. >> >> See also https://libreswan.org/ >> >> v3.21 (August 9, 2017) >> * FIPS: Don't crash on too weak PSK's in FIPS mode, warn for non-FIPS >> [Andrew] >> * FIPS: rsasigkey: Use modulus F4, not 3 (FIPS 186-4, section B.3.1) [Paul] >> * pluto: Support for "idXXX" esp/ike transform IDs removed [Andrew,Paul] >> * pluto: Do not return whack error when termining an alias connection [Paul] >> * pluto: Remove IKE policy bits on passthrough conns [Paul] >> * pluto: Minor memory leak fixes [Paul] >> * pluto: Fix memory leak due to addresspool reference count error [Antony] >> * pluto: Re-add support for ipsec whack --listevents [Antony] >> * pluto: Cleanup listed events on shutdown to please leak-detective [Antony] >> * pluto: Perform stricter SubjectAltName checks on configured ID's [Paul] >> * pluto: Handle *subnets in --route and --unroute via whack [Mika/Tuomo] >> * pluto: Unify IKEv1 XAUTH and IKEv2 PAM threading code [Andrew] >> * pluto: Use pthread_cancel() (not SIGINT, conflicts with debuggers) [Andrew] >> * pluto: Fix memory corruption with XAUTH/PAM threads [Andrew/Hugh] >> * pluto: Fix resource leak processing XAUTH password authentication [Andrew] >> * pluto: Fix warnings generated by gcc 7.1 [Lubomir Rintel] >> * pluto: NIC offload support nic-offload=auto|yes|no (eg mellanox) [Ilan >> Tayari] >> * pluto: Use common function in ikev1 / ikev2 for dpd/liveness actions >> [Antony] >> * NSS: Try harder finding private keys that reside on hardware tokens >> [Andrew] >> * IKEv2: Opportunistic IPsec support for IPSECKEY records [Antony] >> * IKEv2: New dnssec-enable=yes|no, dnssec-rootkey-file=, dnssec-anchors= >> [Paul] >> * IKEv2: If CREATE_CHILD_SA superseded retransmit, drop it [Antony] >> * IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.1) [Antony] >> * IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.2 responder) >> [Antony] >> * IKEv2: Add PFS support for CREATE_CHILD_SA (RFC7296 1.3.3 responder) >> [Antony] >> * IKEv2: Flush ESP/AH proposals on the initiator. It could be stale [Antony] >> * IKEv2: State Machine (svm) updates to simplify CREATE_CHILD_SA [Antony] >> * IKEv2: DH role is based on message role not Original Initiator role >> [Antony] >> * IKEv2: Return CHILD_SA_NOT_FOUND when appropriate [Antony] >> * IKEv2: After an IKE rekey, rehash inherited Child SA to new parent [Antony] >> * IKEv2: Rekeying must update SPIs when inheriting a Child SA [Antony] >> * IKEv2: Decrypt and verify the paylods before calling processor [Andrew] >> * IKEv2: Fragmentation code cleanup [Andrew] >> * IKEv2: Drop CREATE_CHILD_SA message when no IKE state found [Antony] >> * IKEv2: Do not send a new delete request for the same Child SA [Antony] >> * IKEv2: During Child SA rekey, abort when ESP proposals mismatch [Antony] >> * IKEv2: OE client check should take responders behind NAT into account >> [Paul] >> * IKEv2: Improved dpdaction=hold processing [Antony] >> * IKEv1: Only initiate and create IKE SA for appropriate dpdaction [Antony] >> * IKEv1: Re-add SHA2_256 (prefered) and SHA2_512 to IKEv1 defaults [Andrew] >> * IKEv1: Aggressive Mode fixes for sending CERT / CERTREQ payloads [Paul] >> * IKEv1: Multiple CISCO_SPLIT_INC's cause duplicate spd_routes [Oleg >> Rosowiecki] >> * X509: Improve some failure logging [Paul] >> * XFRM: Use proper alignment for IPv4 AH as per RFC4302 Section 3.3.3.2.1 >> [Paul] >> * XFRM: Update including system or local copy of xfrm.h [Paul/Antony] >> * XFRM: Remove no longer needed {rt}netlink.h copies [Paul] >> * KLIPS: cryptoapi: switch from hash to ahash [Richard] >> * KLIPS: Add traffic accounting support [Richard/Paul] >> * KLIPS: Support for linux 4.11 [Paul] >> * lib: Move the alg_info lookup-by-name code to libswan [Andrew] >> * lib: Move all conditionally compiled ike_alg*.c files to libswan.a [Andrew] >> * addconn: Replace ttoaddr() with calls supporting DNSSEC [Paul/Antony] >> * libswan: Algo code cleanup [Andrew] >> * libipsecconf: Load specified RSA keys irrespective of policy [Paul] >> * libipsecconf/pluto: Be more strict in authby= & type= combinations [Paul] >> * libipsecconf: Fail to load connections with unsatisfied auto= clause [Hugh] >> * parser: Numerous algorithm parser fixes, eg. esp=aes_ccm_8_128-null >> [Andrew] >> * algparse: (Experimental) modified to run algorithm parser stand-alone >> [Andrew] >> * newhostkey: Actually append to secrets as the warning claims it will [Paul] >> * _updown.netkey: Fix syntax failure when PLUTO_MY_SOURCEIP is not set >> [Tuomo] >> * _updown.netkey,klips: Fix use of printf when updating resolv.conf [Tuomo] >> * _updown.netkey: Remove wrong use of PLUTO_PEER_CLIENT netmask [Tuomo] >> * _updown: Add MAX_CIDR variable for host netmask [Tuomo] >> * ipsec import: Trust bits correction did not always trigger [Tuomo] >> * building: Convert lib/ to use mk/library.mk [Andrew] >> * building: Work around rhel-6 gcc [Andrew] >> * building: Add copy unbound-event.h work around broken unbound installs >> [Paul] >> * packaging: Better split rpm and make variables [Paul] >> * packaging: Updates for new requirements for ldns, unbound-devel [Paul] >> * testing: Add DNSSEC, Opportunistic IPsec testcases, fixups [Multiple >> people] >> * contrib: Munin plugin for libreswan [Kim/Paul] >> -----BEGIN PGP SIGNATURE----- >> >> iQIcBAEBCgAGBQJZi7foAAoJEIX/S0OzD8b5dzQP/jLS3XCt1LYZ4O74zbeli97X >> XoBLpooCNDxLHdgtxCfd7qY1v4aBCmXOyNheuWbloWUPVUKlUlpXdZrulM2Ny2TO >> IkaIjXKM5EdMJdCds6k8LzFaMGMYNAu4v56QFfnfKqOy2UKjNu5uhHan4A0n9jgK >> ORkNaoiLjqmhRXdCHfTGPxs4U5JbpBsezjq49tU3m4tyLAixr4YbJB5/kLc+/BOI >> gpkZ7cuH5PbC3Rv/ywpkhckSiUcZEC7A4//rXahM4QzzWXsi7RhO6mOG2oU+s6lU >> NSKoDqj2Km+NMoQuXlbEfPLPESvUU8buWQhLlItekvhMP1oWftl1/vzoQRtYp6ZS >> MTcgS6vmkCr08ZDejDdfdR2Cfb8D+/MBy2f0fk7lvkii3NXmoIm2TQhwHjXxlPob >> 1QqVyv/HVw6HkDCG3K9RHJcqSOvbcXNafv0XyHSkwMlnD/60wnMog9OuzGhPKtVL >> 26oFj4VeBO0LkiuDcYIf3LAblmsRnaxtNFBdat/L2dlBR9eKYXLKYG9LGai0iH+t >> 76TLvuH68f5PZHaxcjYOO5FN6CNFOmHYsyAVsU7smNpRWWJJiw8sSiJju5Sz/Hic >> JNSbw9zFUcIcxNPNVrISlhvTVd4zpld/RaPytHBP/+tFI5gxFBEdSxooqPURVyHw >> nDCCqZyGAnX1jLZNqpHY >> =/JN4 >> -----END PGP SIGNATURE----- >> _______________________________________________ >> Swan-announce mailing list >> swan-annou...@lists.libreswan.org >> https://lists.libreswan.org/mailman/listinfo/swan-announce >> _______________________________________________ >> Swan mailing list >> Swan@lists.libreswan.org >> https://lists.libreswan.org/mailman/listinfo/swan > > _______________________________________________ > Swan mailing list > Swan@lists.libreswan.org > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan