Re: [PATCH 1/1] rebase -r: let `label` generate safer labels

I agree that the code locally was simple enough. Ultimately I feel that sanitizing and uniqueifying the label should probably be done closer together/at the same place. I'm just not familiar enough with the codebase to know a good place (if any) to move that to. Eventually though this would stil

Re: [android-building] Building an old specific commit in one AOSP project

Sounds like you need to fork the whole branch then do a revert to that commit , then build the project. Or Since is just the BT, goto that folder before you build and do a revert for that file , compile just that portion of the project, and import that intonyour device to see if that works. Just mu

Re: [Swan] Certificate import error via ipsec import

On Sun, Apr 30, 2017 at 11:19 PM, Paul Wouters wrote: > On Sat, 29 Apr 2017, Muenz, Michael wrote: > >> but on the last command ipsec "import debian.p12" I get a: >> >> Enter password for PKCS12 file: >> pk12util: PKCS12 IMPORT SUCCESSFUL >> certutil: Could not find cert: NOC CA >> : PR_FILE_NOT_F

Re: [Swan-dev] error message when not running?

On Mon, Mar 20, 2017 at 12:20 PM, Paul Wouters wrote: > > I received this bug report, which I kind of agree with. But I'd like to > hear from others. > > Paul > I agree as well, it's redundant. Regards, Matt ___ Swan-dev mailing list Swan-dev@lists.libr

Re: [Swan] SELinux labeled ipsec

This might not be related to your issue but I remember putting in a fix for a labeled IPsec setup in last year (around 3.14?). You should at least make sure that your build has it, it's the most recent labeled IPsec related change. commit 1543f3c66bce961a94d119d7b3c32ad965cf07d3 Author:

[Swan-commit] Changes to ref refs/heads/master

New commits: commit c0388c60af445b232bfd73c00fe57d36e7b18505 Merge: a38f285 43f7481 Author: Matt Rogers Date: Fri Jan 13 17:46:17 2017 -0500 Merge branch 'nss_logs' commit 43f74811bc90f1df1671a14abb4e3b3294855f2e Author: Matt Rogers Date: Fri Jan 13 17:44:24 2017 -0500

Re: [Swan-dev] crash introduced in c2ea0911 while replacing IKEv1 ISKAMP SA

On Sat, 2016-11-12 at 10:21 +0200, Tuomo Soini wrote: > On Fri, 11 Nov 2016 13:47:03 -0500 > Matt Rogers wrote: > > > > > I've added a patch and comment to the bug; with 14348a4e reverted > > and > > the patch applied, there should be no more

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 01d8ece19bd632b2b181cc407a3831f6ef092b41 Author: Matt Rogers Date: Mon Nov 14 10:01:08 2016 -0500 pluto: fix crash with c2ea09114 Since st->st_requested_ca is now updated, let its freeing be handled by delete_state() o

Re: [Swan-dev] crash introduced in c2ea0911 while replacing IKEv1 ISKAMP SA

On Wed, 2016-11-02 at 20:32 +0200, Tuomo Soini wrote: > On Sat, 29 Oct 2016 19:10:18 +0200 > Antony Antony wrote: > > > > > c2ea0911 introduced a crasher for IKEv1. When pluto replace IKE SA > > and delete itself. > > > > #0  0x5610ca3c34b7 in free_generalNames (gn=0xe, free_name=1) > >    

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 36b71dc354e0bb7ddeece262acb5e8aac8486026 Author: Matt Rogers Date: Thu Oct 13 19:51:05 2016 -0400 dist_certs.py: create "badca" with a false CA ext ___ Swan-commit mailing list Swan-commit@lists.libreswan

Re: [Freeipa-devel] [PATCH] 0001 ipa_kdb add krbPrincipalAuthInd handling

On 05/02, Sumit Bose wrote: > On Thu, Apr 28, 2016 at 02:58:07PM -0400, Matt Rogers wrote: > > On 04/27, Matt Rogers wrote: > > > On 04/27, Sumit Bose wrote: > > > > On Tue, Apr 26, 2016 at 02:02:04PM -0400, Matt Rogers wrote: > > > > > On 04/26, Sumit

Re: [Freeipa-devel] MIT KRB5 uses 32bit time stamp

ription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Matt Rogers Red Hat, Inc -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com

Re: [Freeipa-devel] [PATCH] 0001 ipa_kdb add krbPrincipalAuthInd handling

On 04/27, Matt Rogers wrote: > On 04/27, Sumit Bose wrote: > > On Tue, Apr 26, 2016 at 02:02:04PM -0400, Matt Rogers wrote: > > > On 04/26, Sumit Bose wrote: > > > > On Thu, Apr 14, 2016 at 12:59:55PM -0400, Matt Rogers wrote: > > > > >

Re: [Freeipa-devel] [PATCH] 0001 ipa_kdb add krbPrincipalAuthInd handling

On 04/27, Sumit Bose wrote: > On Tue, Apr 26, 2016 at 02:02:04PM -0400, Matt Rogers wrote: > > On 04/26, Sumit Bose wrote: > > > On Thu, Apr 14, 2016 at 12:59:55PM -0400, Matt Rogers wrote: > > > > > > > > > > > > - Original Message --

Re: [Freeipa-devel] [PATCH] 0001 ipa_kdb add krbPrincipalAuthInd handling

On 04/26, Sumit Bose wrote: > On Thu, Apr 14, 2016 at 12:59:55PM -0400, Matt Rogers wrote: > > > > > > - Original Message - > > > From: "Nathaniel McCallum" > > > To: "Matt Rogers" , freeipa-devel@redhat.com > > > Se

Re: [Freeipa-devel] [PATCH] 0001 ipa_kdb add krbPrincipalAuthInd handling

- Original Message - > From: "Nathaniel McCallum" > To: "Matt Rogers" , freeipa-devel@redhat.com > Sent: Thursday, April 14, 2016 10:32:15 AM > Subject: Re: [Freeipa-devel] [PATCH] 0001 ipa_kdb add krbPrincipalAuthInd > handling > > On Mon, 201

[Freeipa-devel] [PATCH] 0001 ipa_kdb add krbPrincipalAuthInd handling

Hi, The attached patch is a part of the authentication indicator enhancements, adding indicator value storage and retrieval for the KDB driver. https://fedorahosted.org/freeipa/ticket/5782 Regards, --- Matt Rogers Red Hat, Inc From 4aedaf64320b52485407f6798788ecd367c3a002 Mon Sep 17 00:00:00

Re: [Swan] Problem with subnet-to-subnet setup behind NAT'ed networks

- Original Message - > From: "Jacob Vind" > To: swan@lists.libreswan.org > Sent: Thursday, February 11, 2016 7:59:01 AM > Subject: [Swan] Problem with subnet-to-subnet setup behind NAT'ed networks > > Hi, > > I really hope we can get some help, we are trying to set up a > subnet-to-sub

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 38a7a0ac86fb914ec42f78ab1b130626cfd82e1d Merge: 5a66ac6 3958bdd Author: Matt Rogers Date: Tue Jan 12 10:40:48 2016 -0500 Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan commit 5a66ac6029b2a63b9c5fe2457cb9ce71cc94 Author: Matt Rogers D

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 721262eab89cf76b67ba6f1fdc361732e77a75cd Merge: 2d33172 13388c5 Author: Matt Rogers Date: Tue Dec 22 00:52:54 2015 -0500 Merge branch 'contrib_leaks' commit 13388c5d178dee9d10c79c17c6199bcc7f6fb744 Author: Matt Rogers Date: Fri Dec 18 19:33:42 2015 -0500

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 5551f2544b2b1d9b01f14f97192277ef4b2269a7 Author: Matt Rogers Date: Tue Dec 8 15:44:56 2015 -0500 pluto: trusted_ca_nss cleaner without goto ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 70e4af971a40a00fdcfac7d6857d68aa42b74eb9 Merge: 7c0c672 9b70a7c Author: Matt Rogers Date: Tue Dec 8 15:04:35 2015 -0500 Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan commit 7c0c6726166d77e744e3639bb8ae5b3181a35e07 Author: Matt Rogers D

[Swan-commit] Changes to ref refs/heads/master

New commits: commit c882872fd69becf7cf0691453a679d95c6d0c773 Author: Matt Rogers Date: Mon Dec 7 15:36:14 2015 -0500 testing: nss-cert-chain-04 changes ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 870f220f11260ad9dc327d19d37e7ba8c75efb4a Author: Matt Rogers Date: Mon Dec 7 13:34:32 2015 -0500 testing: nss-cert-chain-04 WIP ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman

Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

On 12/11/15 08:20, Tom Robinson wrote: > > Hi Matt, > > > > Thanks for your response. > > > > On 12/11/15 01:15, Matt Rogers wrote: > >> You should set rightid=%fromcert so it will use the received cert subject > >> as the ID here. > >> > >

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 6d909f1963dfecfcc08f114d6bd555b7fcf9184b Author: Matt Rogers Date: Wed Nov 11 12:34:56 2015 -0500 Add CAP_DAC_READ_SEARCH to the added capabilities CAP_DAC_READ_SEARCH was only in the bounding set. Without it in the added set, pam authentication with a

Re: [Swan] IKEv2 connection "no RSA public key known for" and "RSA authentication failed"

- Original Message - > From: "Tom Robinson" > To: swan@lists.libreswan.org > Sent: Tuesday, November 10, 2015 6:54:39 PM > Subject: [Swan] IKEv2 connection "no RSA public key known for" and "RSA > authentication failed" > > Hi, > > I've had a lot of success with IPSec/L2TP but have face

Re: [Swan-dev] Generate test certificates iff missing

- Original Message - > From: "Andrew Cagney" > To: "Libreswan Development List" > Sent: Thursday, October 22, 2015 10:32:12 AM > Subject: [Swan-dev] Generate test certificates iff missing > > I'd like to change testing/pluto/Makefile so that "make check" will > generate the certificates

Re: Connecting AdWords accounts via API

M. On Tuesday, 13 October 2015 14:01:59 UTC+1, Matt Rogers wrote: > > Hey Guys, > > So we have a shiny new Independent Software Developer key which we're very > excited to use! :) > > I have some basic questions on the solution which we're trying to achieve, > thi

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 6d72167f564151cbd0db9614031fd4d42dd969c9 Merge: 618951b e8992cd Author: Matt Rogers Date: Tue Oct 13 16:36:44 2015 -0400 Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan commit 618951b7a28a64fec49fc103952e496591907602 Author: Matt Rogers D

Connecting AdWords Accounts

Hey Guys, We have just received a shiny new "Independent Software Vendor" key and we're very excited to start using it. We're after a process like this: 1. New user comes along to our website 2. They registered and connect up their AdWords account (might be a single account, or it mi

Connecting AdWords accounts via API

Hey Guys, So we have a shiny new Independent Software Developer key which we're very excited to use! :) I have some basic questions on the solution which we're trying to achieve, this is what we're trying to do: 1. User surfs over to our website 2. User signs up to our service online

Re: [Swan] No PARENT proposal selected

> Seems libreswan doesn't load the fw certificate, but it's a little bit > odd because ipsec auto --listall shows all the certs like I expect. I > will retrace my steps to see what I missed. > > Oct 9 10:02:02 fw-kz pluto[30128]: | Added new connection rw-ikev2 with > policy > RSASIG+ENCRYPT+TU

[Swan-commit] Changes to ref refs/heads/master

New commits: commit d8ce67e0f8afb1fbc3ab9184d40b9fd07252408c Author: Matt Rogers Date: Fri Aug 21 14:45:34 2015 -0400 pluto: Use PORT_ErrorToString() to translate NSS errors ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 1543f3c66bce961a94d119d7b3c32ad965cf07d3 Author: Matt Rogers Date: Wed Aug 19 15:59:12 2015 -0400 Fix labeled ipsec SECCTX parsing ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org

[Swan-dev] Including "ipsec ca"

I've pushed a branch called ipsec_ca with the WIP python code that makes up the 'ipsec ca' command. Right now it's not install-able to be used with the ipsec wrapper, so if you want to test it out, you can run _ipsec_ca under the programs/_ipsec_ca/ directory. 'ipsec ca' is a tool for users that

Re: [Swan-dev] time to delete old dist_certs shell script (attempt #2)?

On June 24, 2015 11:34:53 AM EDT, "D. Hugh Redelmeier" wrote: >| From: Andrew Cagney > >| This doesn't seem like a reason for retaining the old shell scripts - >| they are so far behind that they don't even generate all the required >| keys. BTW, best place to run dist_certs.py is on one of th

[Swan-commit] Changes to ref refs/heads/master

New commits: commit a34c55f18b25f6f6f3f6a03b7c212d6e2d7517f9 Merge: 2ac3a33 a7a1a79 Author: Matt Rogers Date: Fri Jun 12 18:42:51 2015 -0400 Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan commit 2ac3a33a1753200ab64a6920c814bddc1499c87f Merge: 80067fd 8e04

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 80067fd8cae74470e23a9294e56c91d9f4e35eaf Author: Matt Rogers Date: Fri Jun 12 17:15:12 2015 -0400 testing: dist_certs.py certs should be version 3 (0x2) not 4 (0x3) ___ Swan-commit mailing list Swan-commit@lists.libreswan.org

[Swan-commit] Changes to ref refs/heads/master

New commits: commit f733bbf5b8317b7b559be80ba0cb2fbcb11550a0 Merge: a219bb2 3757a63 Author: Matt Rogers Date: Fri Jun 12 13:02:01 2015 -0400 Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan commit a219bb27f1b5b1719c512a19464938571507f814 Author: Matt Rogers D

Re: [Swan] Certificate confusion (fwd)

> Date: Thu, 28 May 2015 12:32:30 > From: John Crisp > To: Paul Wouters > Subject: LibreSwan list > > > Certificate confusion > > Hi, > > I'm trying to move from using PSK authent to certificates. > > Have read the Libreswan/NSS howto but seem to be tripping up somewhere. > Certificate hell

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 47b9a7d3cff1f1d04a46c54411ddcae8c4cc45aa Author: Matt Rogers Date: Thu May 28 16:59:37 2015 -0400 correct curl-timeout ugh message ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org

[Swan-commit] Changes to ref refs/heads/master

New commits: commit d5bc066da0d23ba25054e9b8fc282e3465275bc5 Author: Matt Rogers Date: Sun May 17 15:54:58 2015 -0400 ipsec: print filename in case of error with crlutil/certutil commit 0f40d816d1a34559f0f102288270ec734185d1f4 Merge: 4111cdb 80e371b Author: Matt Rogers Date: Sun May 17

[Swan-commit] Changes to ref refs/heads/master

New commits: commit aee92de58941acdc9138be137e383f14c436773f Merge: a476aad e1d8a84 Author: Matt Rogers Date: Sat May 16 02:39:58 2015 -0400 Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan commit a476aad87ce4eaece67a514dee835572140f76b3 Author: Matt Rogers D

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 7037550a3f9e41ace432cf3b0522aff1022d350e Merge: 26fffb6 cc6116f Author: Matt Rogers Date: Tue May 12 18:09:45 2015 -0400 Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan commit 26fffb6af512e5aae0511130c5d18e6d876f1fc9 Merge: d0088db 8bb5

Re: [Swan-dev] pluto: Fix bogus "no RSA public key known for '%fromcert'"

On 05/01, Herbert Xu wrote: > When refine_host_connection tests against a %fromcert RW connection > followed by other right=%any connections with fixed IDs (e.g., > @hostname), it will lose the fromcert setting. So when it does > eventually return with the %fromcert RW connection fromcert will > b

Re: [Swan-dev] pluto: Fix NSS certificate crash

On 04/30, Herbert Xu wrote: > When we instantiate a connection we simply copy the certificate > over, without getting a reference count over the new certificate > reference, resulting in a bogus certificate when the instance is > deleted. > > Signed-off-by: Herbert Xu > > diff --git a/programs/p

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 6dddfb445548683b98f3ea47b829e82f7564887e Merge: dc4d4e5 e3d9b88 Author: Matt Rogers Date: Tue Apr 7 14:54:44 2015 -0400 Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan commit dc4d4e5104ee4f853bdb7f24f2b9d53cbd70bc1d Author: Matt Rogers D

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 1d40fc2e1e2cdf1e577630b82fe08307e76d4cf1 Author: Matt Rogers Date: Tue Apr 7 11:28:15 2015 -0400 _stackmanger: fix basename arguments for modprobe ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https

[Swan-commit] Changes to ref refs/heads/master

New commits: commit c9451b731d4fad4e0e5f5c2ac47b280a13f52649 Author: Matt Rogers Date: Tue Mar 31 17:36:27 2015 -0400 Add ipsec auto --purgeocsp for flushing the NSS OCSP cached responses. ___ Swan-commit mailing list Swan-commit

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 7283d80eb009ff92822d49bcc2adc17e4486206c Merge: 81700d0 e9576ee Author: Matt Rogers Date: Mon Mar 30 12:38:37 2015 -0400 Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan commit 81700d04f86600f3bf3200f48ba8549f1fa2bde1 Author: Matt Rogers D

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 73c724fe9b57ed6efbbbe2f68543d74e58c86919 Merge: 9b9069b a4499fb Author: Matt Rogers Date: Tue Mar 24 00:36:47 2015 -0400 Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan commit 9b9069b4cc0c37ff4206ba7bd7621c78fb4a4026 Author: Matt Rogers D

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 83936beead696be840e02217149e23f1bd4ef6fd Merge: e9ac3c9 106d5d8 Author: Matt Rogers Date: Mon Mar 23 12:43:18 2015 -0400 Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan commit e9ac3c9ab938374610fc88ec55064da5b5c525bd Author: Matt Rogers D

[Swan-commit] Changes to ref refs/heads/master

New commits: commit dc1e40c0061cfa8ce5057e571894e5af12279881 Author: Matt Rogers Date: Sat Mar 21 21:42:08 2015 -0400 x509: handle PRTime properly also restore the CERT_GetCertTimes failure result (which was not the culprit) commit 04810c1e0d35bfb326944fcc784cf29b570109a9 Merge

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 647821a3eeb40db25811fd8409817334668cbd2c Author: Matt Rogers Date: Mon Mar 16 14:28:34 2015 -0400 Return -1 for a CERT_GetCertTimes() failure in get_nss_cert_notafter() (this would be a time decoding error, and check_expiry considers < 0 as an invalid pub

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 8aae477436afc39bc76d015ded36a2487c142142 Merge: dd25683 8e15e45 Author: Matt Rogers Date: Mon Mar 16 13:24:54 2015 -0400 Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan commit dd256830317120fbc6dd8f40787c30b9a144640e Author: Matt Rogers D

Re: [Swan-dev] notes from meeting nss guys

On 02/26, Paul Wouters wrote: > On Tue, 24 Feb 2015, Matt Rogers wrote: > > >Yes, the re-write uses the SQL format database which is for allowing > >simultaneous access. Now the decoding, verification, revocation checking > >and importing of certificates is handled by a

Re: [Swan-dev] notes from meeting nss guys

On 02/24, Antony Antony wrote: > Hi, > Yesterday Paul and I met with NSS guys and here are some notes from the > meeting. > Thanks for the notes! I'm bummed I missed it considering I have been working on the x509 NSS re-write recently. > NSPR threading: no need to use NSPR threading on Linux, b

Re: [Swan-dev] Pluto crash with expired certificates

On 02/05, Paul Wouters wrote: > On Thu, 5 Feb 2015, Wolfgang Nothdurft wrote: > > >With commit aac20299b27be6c401cb5d45262a559994e52431 a bug was > >introduced that causes pluto to crash if an end user certificate > >is expired. > > >The attached patch added the missing return false statement to

Re: [Swan-dev] test caes as documentation versus ipsec.conf.common ease of use

On 02/04, Paul Wouters wrote: > > Antony brought up a while ago that due to our use of ipsec.conf.common, > the test cases do not work very well as documentation. It would be much > better to write out the full configurations so people can read them and > understand them better. > > I did not lik

Re: [Swan-dev] generating x509 certificates

On 02/04, Andrew Cagney wrote: > Matt, > thanks for the reply, > > On 3 February 2015 at 17:27, Matt Rogers wrote: > > > Hey, sorry for the late reply here. Been away from email/irc for the > > day. In short the dist_certs.py is the WIP replacement for the > > s

Re: [Swan-dev] generating x509 certificates

On 02/03, Andrew Cagney wrote: > Hi, > > I've hit a few problems when trying to run the tests that require > certificates. The main one is that the script dist_certs fails as > openssl (Fedora release 20 (Heisenbug) at least) doesn't like > generating the bad certificate: > > The organizationNam

Re: [Swan] Struggling with certificates

On 01/27, Nick Howitt wrote: > Matt, > > Thanks. That was it. > No problem, with some of the upcoming changes you won't need to restart pluto to pick up new certs. > Do you know anything about setting up Windoze Phone? > No, sorry :P I believe Paul has done some testin

Re: [Swan] Struggling with certificates

On 01/27, Nick Howitt wrote: > 002 forgetting secrets > 002 loading secrets from "/etc/ipsec.secrets" > 002 loading secrets from "/etc/ipsec.d/ipsec.secrets" > 002 could not open host cert with nick name 'alex' in NSS > DB > 003 "/etc/ipsec.d/ipsec.secrets" l

Re: [Swan-dev] shared IKE SA interop bug with cisco

On 12/04, Antony Antony wrote: > can you commit test as a wip? I am curious to see what is going on. I need > the same for IKEv2 and CREATE_CHILD_SA. > Take a look at the conn_shared_ike branch that I pushed, it has a test and continuation of the patch. I was focusing on the IKEv1 side of this s

Re: [Swan-dev] shared IKE SA interop bug with cisco

On 11/30, Paul Wouters ? wrote: > On Fri, 28 Nov 2014, Matt Rogers wrote: > > >>Matt wrote the problem below. I am still confused what exactly is > >>happening and why we would need his patch for this. I would think > >>that if we --down tunnelA we should notic

Re: [Swan-dev] dist_certs.py and crl tests

On 11/28, Paul Wouters ? wrote: > On Fri, 28 Nov 2014, Matt Rogers wrote: > > (moved discussion to swan-dev) > > >>The intent was that the signature made by the CAcert over the CRL was > >>either not yet valid or expired. This is unrelated to the content of the

Re: [Swan-dev] shared IKE SA interop bug with cisco

On 11/25, Paul Wouters ? wrote: > > Matt wrote the problem below. I am still confused what exactly is > happening and why we would need his patch for this. I would think > that if we --down tunnelA we should notice the phase1 is still used > by tunnelB and leave/move it around instead? > The use

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 330baab55efea3b750ea60042142135728dd22e6 Author: Matt Rogers Date: Sun Nov 23 19:19:34 2014 -0500 testing: dist_certs.py - fix the revoked certificate serial numbers commit 40321997dd473dd0aef206f06696e31dc17999b1 Author: Matt Rogers Date: Sun Nov 23 19:18:40 2014

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 1330a54727a3c94904bf6194854eaddbb81ffd0f Merge: bcec875 13d5258 Author: Matt Rogers Date: Fri Nov 21 15:44:38 2014 -0500 Merge branch 'new_dist_certs' commit 13d52582cd93e4799be633137424931cea760f64 Author: Matt Rogers Date: Fri Nov 21 15:40:47

Re: [Swan-dev] OCSP support in libreswan

On November 7, 2014 10:28:31 AM EST, "CHEN, JIANFU (RC-CA)" wrote: >The company I am working with plan to have OCSP (online certificate >status protocol) support for VPN. > >The system we are using for VPN is libreswan. But I found that >currently libreswan does not have OCSP support. > >I foun

Re: [Swan-dev] a different git branching model for Libreswan

On 10/30, Paul Wouters wrote: > > > >In this one, master is sacred and seems to only include final > >releases. > > This is the model (and in fact the actual web page describing it) that > we were trying to deploy. What I like about it is th

Re: [Swan-dev] OCSP timeline ?

On 10/29, jone...@teksavvy.com wrote: > Hello, > > Is there a timeline for the integration of an OCSP feature in > Libreswan ? What would be a reasonable timeframe ? > > Thanks ! No real timeline to share, but it's being worked on. The current x509 code is changing significantly in order to h

Re: [Swan-dev] a different git branching model for Libreswan

On 10/29, D. Hugh Redelmeier wrote: > My suggested solution: release/freeze branches > == > > We should never freeze master. > > When we want a freeze for a release, create a release branch. > > Work continues on master. > > If something should be in

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 707d48dbf94e9974cd57b71b6ffc14ccf3b95fa0 Author: Matt Rogers Date: Fri Oct 24 19:15:17 2014 -0400 swantest: change 'hosts' to 'all_hosts' to fix --noreboot ___ Swan-commit mailing list Swan-commit@lists

[Swan-commit] Changes to ref refs/heads/master

New commits: commit abef68b7ddf4d13050c743671bb8494801b6d9fc Merge: 7ea0931 d03b718 Author: Matt Rogers Date: Fri Oct 24 16:23:39 2014 -0400 Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan commit 7ea09314fb99e58e4077db96e6634f83bf18b8fd Author: Matt Rogers D

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 0d36f771e8155445d3e508fe7b8c638cdca97aa3 Author: Matt Rogers Date: Tue Oct 7 23:46:48 2014 -0400 testing: add ikev2-x509-03 (IKEv2 %fromcert verification) commit 56ffa4a8f77910632ea2dbb9566bb84172f94162 Author: Matt Rogers Date: Tue Oct 7 23:43:36 2014 -0400

Re: [Swan-dev] VID and IKE v2

On October 3, 2014 7:25:17 PM EDT, Paul Wouters wrote: >On Fri, 3 Oct 2014, D. Hugh Redelmeier wrote: >fragmentation will be done differently in ikev2 unfortunately, using: > >https://tools.ietf.org/html/draft-ietf-ipsecme-ikev2-fragmentation-10 > >Although nothing stops us from adding a Notify

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 5a16911178266c745d8e0b3e937964eea5740b18 Merge: 187b651 f3905cc Author: Matt Rogers Date: Fri Oct 3 11:43:08 2014 -0400 Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan commit 187b651e603bb71492db36f693108098c873cc75 Author: Matt Rogers D

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 0abe90341cb25f946c8ba6a1e9487e64b9bd2d63 Author: Matt Rogers Date: Thu Sep 25 00:10:48 2014 -0400 updated CHANGES commit 01d89a22323dd8faf5879c99c48805806bbd6673 Author: Matt Rogers Date: Thu Sep 25 00:08:20 2014 -0400 testing: added CA chain tests to TESTLIST

[Swan-commit] Changes to ref refs/heads/master

New commits: commit c2f4010064c179578647e72a5df536667ff8a6f7 Author: Matt Rogers Date: Fri Sep 19 12:05:08 2014 -0400 testing: update x509-pluto-02 (a fail with passert) ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 4b4bb80c198931f3730025673a07fee209a36e5c Author: Matt Rogers Date: Thu Sep 11 18:43:32 2014 -0400 testing: revive ikev2-x509-01 update interop-ikev2-strongswan-19-x509-res-certreq description add tests to TESTLIST commit

[Swan-commit] Changes to ref refs/heads/master

New commits: commit c3286e9dcd0908ea9406a97eebd426d1d920870b Author: Matt Rogers Date: Tue Sep 9 15:28:19 2014 -0400 testing: fix interop-ikev2-strongswan-04-x509-responder ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 815990cdb258419aa90951f0ca344a1787a016f6 Merge: db2cba4 cdc383d Author: Matt Rogers Date: Mon Sep 8 14:22:17 2014 -0400 Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan commit db2cba4b7502261db5629fe175373a4a290a1b4e Author: Matt Rogers D

[Swan-dev] NSS DB update

Hey all, I've pushed a branch called nss_upgrade_9_03 that has patches for pluto to start using an SQL format NSS database, outside of the ipsec.d dir (/var/lib/pluto by default). Pluto still opens the database read-only as the intent is to use helper programs to write to the database as needed in

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 8c6c5db8a28dcf60b53e14e69fe1b01300a42b34 Author: Matt Rogers Date: Fri Aug 22 11:17:56 2014 -0400 Fix "ModeCfg attr type: 16521??" enum values ___ Swan-commit mailing list Swan-commit@lists.libreswan

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 72b284287b748c5a8b5c8ca25b7a972c2b2e1bf0 Merge: 7c2c2ef 0f10f64 Author: Matt Rogers Date: Tue Jul 29 12:56:16 2014 -0400 Merge branch 'master' of ssh://vault.libreswan.fi/srv/src/libreswan commit 7c2c2ef40b9bf2411e39a09f706b07408a080ef9 Author: Matt Rogers D

[Swan-commit] Changes to ref refs/heads/master

New commits: commit e7cb2aa6af2d9af26218cefef7a75d63102d1670 Author: Matt Rogers Date: Wed Aug 27 21:29:12 2014 -0400 Change _updown return codes for resolv.conf, which broke connections to a peer offering Cisco split tunnel routes ___ Swan

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 8631927de23f6c6fe32893dd65b5daba8568d8f8 Author: Matt Rogers Date: Fri Aug 22 10:42:21 2014 -0400 XAUTH: Add note about htpasswd -d ___ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org

Re: [Swan-dev] naming v2 states

I like the suggested set at the bottom there. I think avoiding calling the resulting states a CHILD and instead calling them IKE or IPSEC is a good idea. I also like the idea of incorporating the intended SA type in the CHILD exchange's state names. Matt __

Re: [Swan] XAUTH: PAM auth chain failed with '7' on CentOS 7

On 08/22, Remy van Elst wrote: > > > On 08/22/14 16:30, Matt Rogers wrote: > > On 08/22, Remy van Elst wrote: > >> How would I apply this to system/PAM authentication? The passwords in > >> the shadow file are SHA512 ($6$...) > >> > > chpasswd(8)

Re: [Swan] XAUTH: PAM auth chain failed with '7' on CentOS 7

am stack), and crypt would support the SHA512 type. Is your system-auth configuration much different than the RHEL/CentOS default? Matt > > > On 08/21/14 21:15, Matt Rogers wrote: > > On 08/21, Pontus Wiberg wrote: > >> FYI did a new setup on a Ubuntu server with no addition

Re: [Swan] XAUTH: PAM auth chain failed with '7' on CentOS 7

On 08/21, Pontus Wiberg wrote: > FYI did a new setup on a Ubuntu server with no additional software but > Libreswan and the requirements, a clean setup, clean ipsec.conf, getting > the same error. The password is incorrectly handled by Libreswan or some > dependency somewhere, same error as I've ha

Re: [Swan] XAUTH: PAM auth chain failed with '7' on CentOS 7

On 07/21, Remy van Elst wrote: > Hello Paul, > > 3.9 does not seem to fix the problem, I still get login errors with > either PAM or a passwd file, same steps as earlier but with the new > packages: > > Jul 21 16:04:45 localhost.localdomain pluto[3836]: "xauth-rsa"[4] > 83.162.250.46 #2: NAT-Trav

[Swan-dev] CA chains / Bug 182

Hey all, I pushed the branch for this so I can start getting some eyes on it. Test cases are on the way. A summary of the changes: - Added load_end_ca_path() to load the available intermediate CA certs into the connection - Added the connection option "sendca=none|issuer|all". This is a very

[Swan-dev] Storing of cert chains

I'm using the spd "end" structures 'this' and 'that' (ie c->spd.that.ca_path) to store the chain of CA certs. The 'this' end is loaded with the local cert path of the end certificate on a connection add, and the 'that' end is a list of CA certs received from the peer (which are all validated as a g

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 87c3951c94eb5f5b2e13e8533a8735e6b5c98795 Author: Matt Rogers Date: Fri Jun 20 17:04:28 2014 -0400 A newly established IKE SA should have the initial DPD event check for recent activity (rhbz #908478) ___ Swan-commit

[Swan-dev] passert on latest master

Just noticed this while testing other things (I was creating the auth fail on purpose): Jun 8 11:29:05 east pluto[18494]: "cert" #1: ignoring informational payload AUTHENTICATION_FAILED, msgid=, length=12 Jun 8 11:29:05 east pluto[18494]: | ISAKMP Notification Payload Jun 8 11:29:05 ea

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 2df04e61b41be2c25790347d168db2c0e62c1f3c Author: Matt Rogers Date: Sun Jun 8 10:12:15 2014 -0400 mononow() in defs.c needs -lrt Compiling failed with: /bin/ld: defs.o: undefined reference to symbol 'clock_gettime@@GLIBC_

[Swan-commit] Changes to ref refs/heads/master

New commits: commit 634558a0eaf999841184a5fbbe73d6408e5af365 Author: Matt Rogers Date: Fri Jun 6 23:40:46 2014 -0400 Remove some unnecessary NAT-T debug messages that sometimes lied, ex: pluto[8560]: | st_localport != pluto_nat_port (4500 != 4500

  1   2   3   4   5   6   7   8   9   10   >