Thread: [Ipsec-tools-devel] time for 0.8.1 ?
Brought to you by:
mit_warlord,
netbsd
From: Timo T. <tim...@ik...> - 2012-08-23 11:55:41
|
Hi, It's been almost 1.5 years since 0.8.0 was released. There's been only a handful [see below] of commits to 0.8 branch, but some of them are quite essential. I'm planning to do 0.8.1 release tarball soon. Please yell if we need to cherry-pick more commits, or you have pending things for the 0_8-branch. Thanks, Timo ChangeLog for the 0.8 branch since 0.8.0 tagging: 2012-08-23 Timo Teras <tim...@ik...> * src/racoon/crypto_openssl.c: From Nakano Takaharu: Fix bignum memory allocation. 2012-01-01 Timo Teras <tim...@ik...> * src/racoon/isakmp_unity.c: From Rainer Weikusat <rwe...@mo...>: Fix one byte too short memory allocation in isakmp_unity.c:splitnet_list_2str(). 2011-11-17 Yvan Vanhullebus <va...@ne...> * src/racoon/handler.c: fixed some crashes in LIST_FOREACH where current element could be removed during the loop 2011-11-14 Timo Teras <tim...@ik...> * src/libipsec/pfkey.c: From Marcelo Leitner <mle...@re...>: do not shrink pfkey socket buffers (if system default is larger than what we want as minimum) 2011-08-12 Timo Teras <tim...@ik...> * src/racoon/privsep.c: Have privilege separation child process exit if the parent exits. * Makefile.am: Create ChangeLog for proper CVS branch. 2011-03-18 tag ipsec-tools-0_8_0 |
From: Roman H. A. <rh...@op...> - 2012-08-23 12:50:32
|
Hi Timo I have three things in my bag for 0.8.1, that were already posted to the mailing list: Allow empty inherit statements (presumably already committed): http://marc.info/?l=ipsec-tools-devel&m=131373226022643 Undecided issue about useless no-certificate warnings when using RSA keys: http://marc.info/?l=ipsec-tools-devel&m=130068991507168&w=2 Another undecided issue: deal with reversed DPD cookies (be compatible to older Cisco devices): http://marc.info/?l=ipsec-tools-devel&m=132109082301756&w=2 Cheers, Roman On 23.08.2012 13:54, Timo Teras wrote: > Hi, > > It's been almost 1.5 years since 0.8.0 was released. There's been only > a handful [see below] of commits to 0.8 branch, but some of them are > quite essential. > > I'm planning to do 0.8.1 release tarball soon. Please yell if we need > to cherry-pick more commits, or you have pending things for the > 0_8-branch. > > Thanks, > Timo > > ChangeLog for the 0.8 branch since 0.8.0 tagging: > > 2012-08-23 Timo Teras <tim...@ik...> > > * src/racoon/crypto_openssl.c: From Nakano Takaharu: Fix bignum > memory allocation. > > 2012-01-01 Timo Teras <tim...@ik...> > > * src/racoon/isakmp_unity.c: From Rainer Weikusat > <rwe...@mo...>: Fix one byte too short memory > allocation in isakmp_unity.c:splitnet_list_2str(). > > 2011-11-17 Yvan Vanhullebus <va...@ne...> > > * src/racoon/handler.c: fixed some crashes in LIST_FOREACH where > current element could be removed during the loop > > 2011-11-14 Timo Teras <tim...@ik...> > > * src/libipsec/pfkey.c: From Marcelo Leitner <mle...@re...>: > do not shrink pfkey socket buffers (if system default is larger than > what we want as minimum) > > 2011-08-12 Timo Teras <tim...@ik...> > > * src/racoon/privsep.c: Have privilege separation child process > exit if the parent exits. > > * Makefile.am: Create ChangeLog for proper CVS branch. > > 2011-03-18 tag ipsec-tools-0_8_0 > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > -- Roman Hoog Antink Dipl. Ing. ETH Senior Security Engineer Open Systems AG Räffelstrasse 29 CH-8045 Zürich t: +41 44 455 74 00 f: +41 44 455 74 01 rh...@op... http://www.open.ch |
From: Timo T. <tim...@ik...> - 2012-08-24 09:03:30
|
On Thu, 23 Aug 2012 14:50:20 +0200 Roman Hoog Antink <rh...@op...> wrote: > I have three things in my bag for 0.8.1, that were already posted to > the mailing list: > > Allow empty inherit statements (presumably already committed): > http://marc.info/?l=ipsec-tools-devel&m=131373226022643 It's committed in HEAD only. Will cherry-pick unless someone objects. > Undecided issue about useless no-certificate warnings when using RSA > keys: http://marc.info/?l=ipsec-tools-devel&m=130068991507168&w=2 Well - just before the verify_cert test, we have a big honking switch for the certtype. Maybe in the ISAKMP_CERT_PLAINRSA case (possibly also checking that we are not in hybrid mode) we just set a local variable "no_verify_needed" and in that case inhibit the warning. > Another undecided issue: deal with reversed DPD cookies (be compatible > to older Cisco devices): > http://marc.info/?l=ipsec-tools-devel&m=132109082301756&w=2 Did we have the patch for the reversed cookie check somewhere? I'm willing to commit that. |
From: Roman H. A. <rh...@op...> - 2012-08-24 09:40:12
|
On 24.08.2012 11:02, Timo Teras wrote: > On Thu, 23 Aug 2012 14:50:20 +0200 Roman Hoog Antink <rh...@op...> > wrote: > >> Undecided issue about useless no-certificate warnings when using RSA >> keys: http://marc.info/?l=ipsec-tools-devel&m=130068991507168&w=2 > > Well - just before the verify_cert test, we have a big honking switch > for the certtype. Maybe in the ISAKMP_CERT_PLAINRSA case (possibly > also checking that we are not in hybrid mode) we just set a local > variable "no_verify_needed" and in that case inhibit the warning. > >> Another undecided issue: deal with reversed DPD cookies (be compatible >> to older Cisco devices): >> http://marc.info/?l=ipsec-tools-devel&m=132109082301756&w=2 > > Did we have the patch for the reversed cookie check somewhere? > > I'm willing to commit that. > No, I never coded the reversed check, just its mere omission. I will present patches for both issues next week. |
From: Roman H. A. <rh...@op...> - 2012-08-27 12:22:21
Attachments:
no_cert_warn.patch
|
On 24.08.2012 11:02, Timo Teras wrote: > On Thu, 23 Aug 2012 14:50:20 +0200 Roman Hoog Antink <rh...@op...> > wrote: > >> Undecided issue about useless no-certificate warnings when using RSA >> keys: http://marc.info/?l=ipsec-tools-devel&m=130068991507168&w=2 > > Well - just before the verify_cert test, we have a big honking switch > for the certtype. Maybe in the ISAKMP_CERT_PLAINRSA case (possibly > also checking that we are not in hybrid mode) we just set a local > variable "no_verify_needed" and in that case inhibit the warning. Find attached my revised patch regarding unnecessary warnings "CERT validation disabled by configuration". I added the hybrid exception check only for the case block, that actually contains the ISAKMP_CERT_PLAINRSA nested case, not for the remaining hybrid modes. The values of no_verify_needed mean: -1: initial value; don't suppress warning 0: hybrid mode potentially using plainRSA; don't suppress warning 1: plainRSA but no hybrid mode; suppress warning So long, Roman |
From: Timo T. <tim...@ik...> - 2012-08-29 11:25:10
|
On Mon, 27 Aug 2012 14:22:09 +0200 Roman Hoog Antink <rh...@op...> wrote: > On 24.08.2012 11:02, Timo Teras wrote: > > On Thu, 23 Aug 2012 14:50:20 +0200 Roman Hoog Antink <rh...@op...> > > wrote: > > > >> Undecided issue about useless no-certificate warnings when using > >> RSA keys: > >> http://marc.info/?l=ipsec-tools-devel&m=130068991507168&w=2 > > > > Well - just before the verify_cert test, we have a big honking > > switch for the certtype. Maybe in the ISAKMP_CERT_PLAINRSA case > > (possibly also checking that we are not in hybrid mode) we just set > > a local variable "no_verify_needed" and in that case inhibit the > > warning. > > Find attached my revised patch regarding unnecessary warnings "CERT > validation disabled by configuration". I added the hybrid exception > check only for the case block, that actually contains the > ISAKMP_CERT_PLAINRSA nested case, not for the remaining hybrid modes. > > The values of no_verify_needed mean: > > -1: initial value; don't suppress warning > 0: hybrid mode potentially using plainRSA; don't suppress warning > 1: plainRSA but no hybrid mode; suppress warning Applied to CVS HEAD, and 0_8-stable branch. Thanks. |
From: Roman H. A. <rh...@op...> - 2012-08-27 13:12:32
Attachments:
accept-reversed-dpd-cookies.patch
|
On 24.08.2012 11:02, Timo Teras wrote: > On Thu, 23 Aug 2012 14:50:20 +0200 Roman Hoog Antink <rh...@op...> > wrote: >> Another undecided issue: deal with reversed DPD cookies (be compatible >> to older Cisco devices): >> http://marc.info/?l=ipsec-tools-devel&m=132109082301756&w=2 > > Did we have the patch for the reversed cookie check somewhere? > > I'm willing to commit that. Here comes the revised patch that will accept DPD messages with cookies in original or reversed order, as experienced with a Cisco 836 running IOS 12.3(8)T. Roman |
From: Timo T. <tim...@ik...> - 2012-08-29 12:02:23
|
On Mon, 27 Aug 2012 15:12:19 +0200 Roman Hoog Antink <rh...@op...> wrote: > On 24.08.2012 11:02, Timo Teras wrote: > > On Thu, 23 Aug 2012 14:50:20 +0200 Roman Hoog Antink <rh...@op...> > > wrote: > >> Another undecided issue: deal with reversed DPD cookies (be > >> compatible to older Cisco devices): > >> http://marc.info/?l=ipsec-tools-devel&m=132109082301756&w=2 > > > > Did we have the patch for the reversed cookie check somewhere? > > > > I'm willing to commit that. > > Here comes the revised patch that will accept DPD messages with > cookies in original or reversed order, as experienced with a Cisco > 836 running IOS 12.3(8)T. Applied to CVS HEAD on 0_8-branch. Thanks. |
From: Michael C. W. <mc...@ha...> - 2012-08-24 11:32:04
|
Timo Teras <tim...@ik...>, 2012-08-23 13:54 (+0200): > I'm planning to do 0.8.1 release tarball soon. Please yell if we need > to cherry-pick more commits, or you have pending things for the > 0_8-branch. Any thoughts on including my patch to be able to load public RSA keys into a running racoon with racoonctl loadkey? git://hack.org/ipsec-tools There are two branches, master and loadkey. If you want the whole shebang, with DNS queries for IPSECKEY, go for master. If you only want the changes that implements the loadkey command, use the loadkey branch. Cheers, MC. -- MC, http://hack.org/mc/ |
From: Michael C. W. <mc...@ha...> - 2012-08-24 11:32:12
|
Sorry to followup my own post, but I forgot the project link to put the patches in context: http://hack.org/mc/hacks/ipsec/ -- MC, http://hack.org/mc/ |
From: Timo T. <tim...@ik...> - 2012-08-24 12:42:56
|
On Fri, 24 Aug 2012 13:11:32 +0200 Michael Cardell Widerkrantz <mc...@ha...> wrote: > Timo Teras <tim...@ik...>, 2012-08-23 13:54 (+0200): > > > I'm planning to do 0.8.1 release tarball soon. Please yell if we > > need to cherry-pick more commits, or you have pending things for the > > 0_8-branch. > > Any thoughts on including my patch to be able to load public RSA keys > into a running racoon with racoonctl loadkey? > > git://hack.org/ipsec-tools > > There are two branches, master and loadkey. > > If you want the whole shebang, with DNS queries for IPSECKEY, go for > master. > > If you only want the changes that implements the loadkey command, use > the loadkey branch. These look like a new feature to me. And intrusive enough to not include them in 0.8 maintanance branch. I will take a look at them, though. And if all is good, can commit to the CVS HEAD development version. -Timo |
From: Michael C. W. <mc...@ha...> - 2012-08-24 13:23:46
|
Timo Teras <tim...@ik...>, 2012-08-24 14:41 (+0200): > On Fri, 24 Aug 2012 13:11:32 +0200 Michael Cardell Widerkrantz > <mc...@ha...> wrote: >> Any thoughts on including my patch to be able to load public RSA keys >> into a running racoon with racoonctl loadkey? > These look like a new feature to me. And intrusive enough to not > include them in 0.8 maintanance branch. Oh, absolutely. I agree. I was just wondering where everyone had gone since I received no reaction when I first wrote to the list about my changes several months ago. > I will take a look at them, though. And if all is good, can commit to > the CVS HEAD development version. If you do take a look I'm interested in comments. Tell me if something needs cleaning up. -- MC, http://hack.org/mc/ |
From: VANHULLEBUS Y. <va...@fr...> - 2012-08-24 12:00:04
|
On Thu, Aug 23, 2012 at 02:54:18PM +0300, Timo Teras wrote: > Hi, Hi. > It's been almost 1.5 years since 0.8.0 was released. There's been only > a handful [see below] of commits to 0.8 branch, but some of them are > quite essential. Ok for me. > I'm planning to do 0.8.1 release tarball soon. Please yell if we need > to cherry-pick more commits, or you have pending things for the > 0_8-branch. Ok. Tell me if you need some help on process release. Yvan. |
From: Roman H. A. <rh...@op...> - 2012-08-27 12:53:30
Attachments:
cert-not-verified-peer.patch
|
Hi Just a tiny thing for 0.8.1: add peer IP in error message "the peer's certificate is not verified." Roman |
From: Timo T. <tim...@ik...> - 2012-08-29 11:35:45
|
On Mon, 27 Aug 2012 14:53:18 +0200 Roman Hoog Antink <rh...@op...> wrote: > Just a tiny thing for 0.8.1: add peer IP in error message "the peer's > certificate is not verified." Applied to CVS HEAD and 0_8-stable. Thanks. |
From: Timo T. <tim...@ik...> - 2012-12-03 12:58:31
|
Hi, On Thu, 23 Aug 2012 14:54:18 +0300 Timo Teras <tim...@ik...> wrote: > It's been almost 1.5 years since 0.8.0 was released. There's been only > a handful [see below] of commits to 0.8 branch, but some of them are > quite essential. > > I'm planning to do 0.8.1 release tarball soon. Please yell if we need > to cherry-pick more commits, or you have pending things for the > 0_8-branch. Seems this was forgotton after the patch applying week. Is there anything additional, or should we go ahead and tag 0.8.1 from current CVS 0.8-branch? The patches applied since the original mail are: 2012-08-29 Timo Teras <tim...@ik...> * src/racoon/isakmp_inf.c: From Roman Hoog Antink <rh...@op...>: Accept DPD messages with cookies also in reversed order for compatiblity. At least Cisco 836 running IOS 12.3(8)T does this. * src/racoon/oakley.c: From Roman Hoog Antink <rh...@op...>: add remote's IP address to the "certificate not verified" error message. * src/racoon/oakley.c: From Roman Hoog Antink <rh...@op...>: do not print unnecessary warning about non-verified certificate when using raw plain-rsa. * src/racoon/isakmp.c: From Rainer Weikusat <rwe...@mo...>: Release unused phase2 of passive remotes after acquire. * src/racoon/isakmp.c: From Wolfgang Schmieder <wol...@ho...>: setup phase1 port properly. * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Allow inherited remote blocks without additional remote statements to be specified in a simpler way. patch by Roman Hoog Antink <rh...@op...> > ChangeLog for the 0.8 branch since 0.8.0 tagging: > > 2012-08-23 Timo Teras <tim...@ik...> > > * src/racoon/crypto_openssl.c: From Nakano Takaharu: Fix > bignum memory allocation. > > 2012-01-01 Timo Teras <tim...@ik...> > > * src/racoon/isakmp_unity.c: From Rainer Weikusat > <rwe...@mo...>: Fix one byte too short > memory allocation in isakmp_unity.c:splitnet_list_2str(). > > 2011-11-17 Yvan Vanhullebus <va...@ne...> > > * src/racoon/handler.c: fixed some crashes in LIST_FOREACH > where current element could be removed during the loop > > 2011-11-14 Timo Teras <tim...@ik...> > > * src/libipsec/pfkey.c: From Marcelo Leitner > <mle...@re...>: do not shrink pfkey socket buffers (if system > default is larger than what we want as minimum) > > 2011-08-12 Timo Teras <tim...@ik...> > > * src/racoon/privsep.c: Have privilege separation child > process exit if the parent exits. > > * Makefile.am: Create ChangeLog for proper CVS branch. > > 2011-03-18 tag ipsec-tools-0_8_0 |
From: Götz Babin-E. <g.b...@no...> - 2012-12-03 15:33:42
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 03.12.12 13:57, schrieb Timo Teras: > Hi, > > On Thu, 23 Aug 2012 14:54:18 +0300 Timo Teras <tim...@ik...> > wrote: > >> It's been almost 1.5 years since 0.8.0 was released. There's been >> only a handful [see below] of commits to 0.8 branch, but some of >> them are quite essential. >> >> I'm planning to do 0.8.1 release tarball soon. Please yell if we >> need to cherry-pick more commits, or you have pending things for >> the 0_8-branch. Attached patch is a somewhat smarter X509 subject name compare. X509 names may contain entries with different encodings (like UTF-8) The old code (some copy from the ancient openssl 0.9.7 release) did not handle that. The new code does only handle stripping of the wildcards from the name and let openssl do the compare of all non wildcard entries... (OK, it requires an newer OpenSSL version than 0.9.7, whoever still uses 0.9.7 has more pressing problems...) Goetz -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBAgAGBQJQvMZIAAoJEOqYYPj7Mc12Dw8H/2E8pgISJi5oISH+w40nZb3w Ixu3LnhqmFEMhN7RCs2STufx48JtGJRGygkWBJQmdIau8DmqsU0+7lEQ05ARTS29 Wgl7rmt69RYT+czQuiJHk40EhciHIbJY1r6tPTLf2UQ9juryQh26yHXzaJSOW4ru 4HTJ2KzDFXBeXyuNX+0W0HEEkp3zIJrO9uu/DeoMJp7OXoqhfgz9ZwYzpxa5Tjtp Qd+/1O+SGDrPch2VQPjyvaYjILhrIEV+b+uSMO7b+Nc365uqJC15vBGjclS44KJ7 pWjkmjivgCisgqVAbLhV/8VSeTJVph5YsNyJKB/FXwO4BXn81u3xDPYDSHgzY8w= =9e49 -----END PGP SIGNATURE----- |
From: Timo T. <tim...@ik...> - 2012-12-04 06:27:47
|
On Mon, 03 Dec 2012 16:33:31 +0100 Götz Babin-Ebell <g.b...@no...> wrote: > Am 03.12.12 13:57, schrieb Timo Teras: > > On Thu, 23 Aug 2012 14:54:18 +0300 Timo Teras <tim...@ik...> > > wrote: > > > >> It's been almost 1.5 years since 0.8.0 was released. There's been > >> only a handful [see below] of commits to 0.8 branch, but some of > >> them are quite essential. > >> > >> I'm planning to do 0.8.1 release tarball soon. Please yell if we > >> need to cherry-pick more commits, or you have pending things for > >> the 0_8-branch. > > Attached patch is a somewhat smarter X509 subject name compare. > X509 names may contain entries with different encodings (like UTF-8) > The old code (some copy from the ancient openssl 0.9.7 release) > did not handle that. > The new code does only handle stripping of the wildcards from the name > and let openssl do the compare of all non wildcard entries... > > (OK, it requires an newer OpenSSL version than 0.9.7, whoever still > uses 0.9.7 has more pressing problems...) I kinda like this. I'd like to commit this, or is there something non-obvios here that I am not seeing? Yvan? Emmanuel? - Timo |
From: <ma...@ne...> - 2012-12-06 02:13:34
|
Timo Teras <tim...@ik...> wrote: > I kinda like this. I'd like to commit this, or is there something > non-obvios here that I am not seeing? Yvan? Emmanuel? If it's not obvious, I do not see it either :-) -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz ma...@ne... |
From: Timo T. <tim...@ik...> - 2012-12-12 07:33:58
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 03 Dec 2012 16:33:31 +0100 Götz Babin-Ebell <g.b...@no...> wrote: > Attached patch is a somewhat smarter X509 subject name compare. > X509 names may contain entries with different encodings (like UTF-8) > The old code (some copy from the ancient openssl 0.9.7 release) > did not handle that. > The new code does only handle stripping of the wildcards from the name > and let openssl do the compare of all non wildcard entries... > > (OK, it requires an newer OpenSSL version than 0.9.7, whoever still > uses 0.9.7 has more pressing problems...) Since no one is objecting - I'm willing to commit this. However, please update configure.ac to check for proper version of openssl. Currently we seem to need 0.9.6. Please check which will be the minimum requirement after your change, and update the autoconf check accordingly. Thanks, Timo -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBAgAGBQJQyDM/AAoJEEZwDoxij6HO1AgIAKmaO0K8Z1bvwmHBKtM6oNbc HcHizxNvRCT6D+NXlVgEJGJEC4O0OjbAV4pij59XukX/SbN0gysXol3H6oMlafC5 KbPkw+E7pmtFm8owO6qgGIAv5NGgU0inu+sOKWGQkQlZc3Rh0uWtlCfV7rUmo77f 5WTmMgLzff/O+g/Em1S5nGc6m2hMUfwn3uv6hGMnfwuQXJ2i2NMBg1Epn17noJPH nM54e1W2MAvKdFtagBT700VFEYt4LqEeNtoL964jro5OYcEvte0TH9CtExnxMNcE 4Sfy/2oa4GOoc4peqxP3aXUVBfanxsBYSNETKHaXNCJczamhzMVGEvPaXOYmTxM= =ns14 -----END PGP SIGNATURE----- |
From: Götz Babin-E. <g.b...@no...> - 2012-12-12 09:08:53
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 12.12.12 08:33, schrieb Timo Teras: > On Mon, 03 Dec 2012 16:33:31 +0100 Götz Babin-Ebell > <g.b...@no...> wrote: > >> Attached patch is a somewhat smarter X509 subject name compare. >> X509 names may contain entries with different encodings (like >> UTF-8) The old code (some copy from the ancient openssl 0.9.7 >> release) did not handle that. The new code does only handle >> stripping of the wildcards from the name and let openssl do the >> compare of all non wildcard entries... > >> (OK, it requires an newer OpenSSL version than 0.9.7, whoever >> still uses 0.9.7 has more pressing problems...) > > Since no one is objecting - I'm willing to commit this. However, > please update configure.ac to check for proper version of openssl. > > Currently we seem to need 0.9.6. Please check which will be the > minimum requirement after your change, and update the autoconf > check accordingly. OpenSSL 0.9.6 ? Ough. OpenSSL 0.9.6 is not maintained any more since March 2004. OpenSSL 0.9.7 is not maintained any more since February 2007 current OpenSSL version is 1.0.1c Still maintained is OpenSSL 0.9.8 (last release being 0.9.8x) To me it feels wrong to allow an OpenSSL version that is not maintained any more or contains known security vulnerabilities in a security sensitive program / module like ipsec-tools / racoon. So to me it seems the question is not "what is the minimum required OpenSSL version" but "in which OpenSSL version are all relevant security issues fixed". According to the issues listed in http://www.openssl.org/news/vulnerabilities.html This seems to be 0.9.8s. The attached patch should fix this Goetz -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBAgAGBQJQyEmVAAoJEOqYYPj7Mc123x0IAKQ/6mGhXNqg22iO+0bHKCWA nXs4hBv6kHBy6BmpUKKho/fhTdndc+b2m2Aut8XRYk3gX9o4CM//1AMtKVPoMPhz evNWhau6pFa3gzro+UPbs+DU6Ws7AnzZeK7YiP5VKmrLwMs9ud6jFPrY/srDu1vk qJSYBHvEmF+yaMbB2bOSCp8UDeNouieNFhloUv/N+jx60MosR/x1F0oy+Oe4dtc3 fKzqSQLrgxXklE20SCg+gNkQTv/kLVTCMmuaFScADbV6431x3K5esiJOrST2oJ8i uq/CsceFYRaSLpkh0766ckVghK2vDc/a17G3AwYg9irC2e/bjQ2enhQF5XdpSRk= =2aYt -----END PGP SIGNATURE----- |
From: Timo T. <tim...@ik...> - 2012-12-12 09:55:00
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 12 Dec 2012 10:08:39 +0100 Götz Babin-Ebell <g.b...@no...> wrote: > Am 12.12.12 08:33, schrieb Timo Teras: > > On Mon, 03 Dec 2012 16:33:31 +0100 Götz Babin-Ebell > > <g.b...@no...> wrote: > > > >> Attached patch is a somewhat smarter X509 subject name compare. > >> X509 names may contain entries with different encodings (like > >> UTF-8) The old code (some copy from the ancient openssl 0.9.7 > >> release) did not handle that. The new code does only handle > >> stripping of the wildcards from the name and let openssl do the > >> compare of all non wildcard entries... > > > >> (OK, it requires an newer OpenSSL version than 0.9.7, whoever > >> still uses 0.9.7 has more pressing problems...) > > > > Since no one is objecting - I'm willing to commit this. However, > > please update configure.ac to check for proper version of openssl. > > > > Currently we seem to need 0.9.6. Please check which will be the > > minimum requirement after your change, and update the autoconf > > check accordingly. > > OpenSSL 0.9.6 ? > > Ough. > > OpenSSL 0.9.6 is not maintained any more since March 2004. > OpenSSL 0.9.7 is not maintained any more since February 2007 > > current OpenSSL version is 1.0.1c > Still maintained is OpenSSL 0.9.8 (last release being 0.9.8x) > > To me it feels wrong to allow an OpenSSL version that is not > maintained any more or contains known security vulnerabilities in a > security sensitive program / module like ipsec-tools / racoon. > > So to me it seems the question is not > "what is the minimum required OpenSSL version" > but > "in which OpenSSL version are all relevant security issues fixed". > > According to the issues listed in > http://www.openssl.org/news/vulnerabilities.html > This seems to be 0.9.8s. > > The attached patch should fix this I agree. Will commit this first, and the other patch after this unless someone disagress. Thanks, Timo -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBAgAGBQJQyFRNAAoJEEZwDoxij6HO34IH/ijILOznkD7dR6Bx5+V6K6ZT Q3v8APQ/GF/0uKBaqYzMCjcP6S9DiksX0/pJZP2ee2WcG/CYtv80H9XVySnAK0Xu TUSqbtN+wvLN28xcAChIrdT2/cardt/Cw5byF3jLWEiYsp5HO9Tl4tWvmTDh2Lwi TKcShBZj7xEf0Jz42eB1vyACyVtzm0r31vOQgdC9pu3WOwK5g+FjzRwD2Desc69l ccJdBq8EdNTXZsvMVNK6dfmKhDAJiGmKR5fP3Hdr6Oe/jisEHogiX27qdVvG94s2 jcmNKsRFM+CdTGyzZebrK5Q2wLN9IcJVg5x7/DE7RbqXPN3ua3xQB4JjdKmCuf0= =1G2e -----END PGP SIGNATURE----- |
From: Timo T. <tim...@ik...> - 2012-12-24 14:52:44
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 12 Dec 2012 11:54:19 +0200 Timo Teras <tim...@ik...> wrote: > On Wed, 12 Dec 2012 10:08:39 +0100 Götz Babin-Ebell > <g.b...@no...> wrote: > > > Am 12.12.12 08:33, schrieb Timo Teras: > > > On Mon, 03 Dec 2012 16:33:31 +0100 Götz Babin-Ebell > > > <g.b...@no...> wrote: > > > > > >> Attached patch is a somewhat smarter X509 subject name compare. > > >> X509 names may contain entries with different encodings (like > > >> UTF-8) The old code (some copy from the ancient openssl 0.9.7 > > >> release) did not handle that. The new code does only handle > > >> stripping of the wildcards from the name and let openssl do the > > >> compare of all non wildcard entries... > > > > > >> (OK, it requires an newer OpenSSL version than 0.9.7, whoever > > >> still uses 0.9.7 has more pressing problems...) > > > > > > Since no one is objecting - I'm willing to commit this. However, > > > please update configure.ac to check for proper version of openssl. > > > > > > Currently we seem to need 0.9.6. Please check which will be the > > > minimum requirement after your change, and update the autoconf > > > check accordingly. > > > > OpenSSL 0.9.6 ? > > > > Ough. > > > > OpenSSL 0.9.6 is not maintained any more since March 2004. > > OpenSSL 0.9.7 is not maintained any more since February 2007 > > > > current OpenSSL version is 1.0.1c > > Still maintained is OpenSSL 0.9.8 (last release being 0.9.8x) > > > > To me it feels wrong to allow an OpenSSL version that is not > > maintained any more or contains known security vulnerabilities in a > > security sensitive program / module like ipsec-tools / racoon. > > > > So to me it seems the question is not > > "what is the minimum required OpenSSL version" > > but > > "in which OpenSSL version are all relevant security issues fixed". > > > > According to the issues listed in > > http://www.openssl.org/news/vulnerabilities.html > > This seems to be 0.9.8s. > > > > The attached patch should fix this > > I agree. > > Will commit this first, and the other patch after this unless someone > disagress. Done. I think this should be it for 0.8.1 release. I'll start to prepare the release. Should get it out still this year :) - - Timo -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQEcBAEBAgAGBQJQ2GwhAAoJEEZwDoxij6HO5lAH/itKUKdP4hd4lb/OmrJDDebp rcT9kXG2gdEf3Yzkv4w3Q1vYwYXmK1qLT/1SOVKjYNV6R/ig5sNaJwTC7dyEwk0J /HJYFm8I8KRTghT7tHAXtO5usRxOkos74T1hEX2tQF1xi5xi66dolu9nj3mWSuaq xWZdEnIlnlotaW0LWXPrKcF+t/Mb3Z7KR980RvZhfNL87LNJtGZXn+HMsofRMs4z 8LfUXq9H7etBAn6cD6VqVdxEE9p3rz7a+c7XnUysmvr8f9qNMpyZ57OEzA8vI3ME nYaKfoZs9XBwdC1Wi1FuWQjc7vvp0GMqJXpszZtxHfHObdYPZDVHFxJjx0bVKRA= =xjqf -----END PGP SIGNATURE----- |
From: Timo T. <tim...@ik...> - 2013-01-08 13:01:22
|
On Mon, 24 Dec 2012 16:52:13 +0200 Timo Teras <tim...@ik...> wrote: > I think this should be it for 0.8.1 release. I'll start to prepare the > release. Should get it out still this year :) Bah. Did not make it. However, the tarballs are now generated. Will post something on the website later. Tarballs are at: ftp://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.8/ http://sourceforge.net/projects/ipsec-tools/files/ipsec-tools/0.8.1/ I hope I didn't break anything when fixing the autotools issues after my desktop got them upgraded. - Timo |