This patch is untested (I don't have a clean tree).
Does it look OK?
Basically it mutexes all updates to the allocation linked-list.
Questionable spots:
- passert inside a mutex region. Does it need to allocate memory? I hope
not. Not even on failure. Otherwise: deadlock.
- logging of l
On Thu, 10 Apr 2014, Paul Wouters wrote:
xauthby=alwaysok is not "very insecure".
IPsec VPNs can by authenticated using various different methods:
1) PreShared Key with IDs (or IPs as ID)
2) raw RSA public keys
3) X.509 Certificates
4) 1,2 or 3 plus an XAUTH/CP username+password
5) 1,2 or 3 p
Paul,
Congratulations. Clear explanation. It deserves a good public document.
On my side I should more dig into raw RSA public keys.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:vout...@sip.linphone.org
On 04/10/2014 08:04 PM, Paul Wouters wrote:
On Thu, 1
On Thu, 10 Apr 2014, Philippe Vouters wrote:
Although it is very insecure, would embedded systems be the reason of your
xauthby=alwaysok ?
This is aside from the NSS database aspect.
xauthby=alwaysok is not "very insecure".
IPsec VPNs can by authenticated using various different methods:
1)
Paul,
Although it is very insecure, would embedded systems be the reason of
your xauthby=alwaysok ?
This is aside from the NSS database aspect.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:vout...@sip.linphone.org
On 04/10/2014 06:37 PM, Lennart Sorensen wr
On Thu, Apr 10, 2014 at 12:17:02PM -0400, Paul Wouters wrote:
> The only part where we used openssl was for OCF userland, and these days
> it is more expensive to offload crypto from userland to kernel than to
> just do it in userland yourself without acceleration, even on embedded
> hardware. So w
On Thu, Apr 10, 2014 at 12:28:35PM -0400, Paul Wouters wrote:
> I dont see why it needs to link against gnutls? Unless that is because
> of libcurl?
That's what I was wondering. I don't see libcurl in the ldd output
though.
--
Len Sorensen
___
Swan-de
On Thu, 10 Apr 2014, Lennart Sorensen wrote:
Yeah, and apparently a rather old one. For some reason I thought it
actually used openssl. I see pluto linked against gnutls, libssl and
libcrypto on Debian. It seems to have covered all its bases. It even
has libp11-kit0 as a library.
I dont se
On Thu, 10 Apr 2014, Lennart Sorensen wrote:
We understand the pain of having to add NSS to embedded platforms. But
there is really no alternative. The only switching that is possible
would be from NSS to openssl. It would make life easier on embedded
platforms that already need openssl. But for
On Thu, Apr 10, 2014 at 11:46:28AM -0400, Paul Wouters wrote:
> And with openswan not compiled for NSS, you have a fourth set of crypto
> to certify.
Yeah, and apparently a rather old one. For some reason I thought it
actually used openssl. I see pluto linked against gnutls, libssl and
libcrypto
On Thu, Apr 10, 2014 at 11:43:22AM -0400, Paul Wouters wrote:
> And use 15 year old cryptographic code that has seen no audit?
Well that was a different problem.
Almost everything uses openssl or gnutls. Picking the 3rd but not very
common option is rather annoying for embedded systems.
> And h
On Thu, 10 Apr 2014, Lennart Sorensen wrote:
I am just looking at the fact that if you want to get a product fips
certified, you have to deal with checking openssl, gnutls and nss.
That's a lot of duplication.
And with openswan not compiled for NSS, you have a fourth set of crypto
to certify.
On Thu, 10 Apr 2014, Lennart Sorensen wrote:
Libreswan already depends on NSS for crypto, not openssl.
Well openswan didn't. We haven't upgraded yet.
I would highly suggest reconsidering the use of libnss.
And use 15 year old cryptographic code that has seen no audit?
And having to extend
On Thu, Apr 10, 2014 at 11:35:35AM -0400, Lennart Sorensen wrote:
> On Thu, Apr 10, 2014 at 11:06:28AM -0400, Matt Rogers wrote:
> > On Thu, Apr 10, 2014 at 10:40:40AM -0400, Lennart Sorensen wrote:
> > > On Mon, Apr 07, 2014 at 07:22:51PM -0400, Paul Wouters wrote:
> > > > wonder if we can use thi
On Thu, Apr 10, 2014 at 11:06:28AM -0400, Matt Rogers wrote:
> On Thu, Apr 10, 2014 at 10:40:40AM -0400, Lennart Sorensen wrote:
> > On Mon, Apr 07, 2014 at 07:22:51PM -0400, Paul Wouters wrote:
> > > wonder if we can use this instead of the legacy x509 code
> >
> > I would prefer avoiding hav
On Thu, Apr 10, 2014 at 10:40:40AM -0400, Lennart Sorensen wrote:
> On Mon, Apr 07, 2014 at 07:22:51PM -0400, Paul Wouters wrote:
> > wonder if we can use this instead of the legacy x509 code
>
> I would prefer avoiding having to maintain yet another crypto library.
> Needing openssl and gnutl
On Mon, Apr 07, 2014 at 07:22:51PM -0400, Paul Wouters wrote:
> wonder if we can use this instead of the legacy x509 code
I would prefer avoiding having to maintain yet another crypto library.
Needing openssl and gnutls26 is enough thank you. Routers have no need
to run firefox and hence have
17 matches
Mail list logo
