- Disabled libtoolize call and the gcrypt plugin on SLE 10.

• Files Changed
• Browse Source

- Corrected a time_t cast reported by rpmlint (timer.c:51)

• Files Changed
• Browse Source

Refreshed patch to avoid failure on factory (fuzz=0)

• Files Changed
• Browse Source

- Updated to strongSwan 4.3.6 release:
  * The IKEv2 daemon supports RFC 3779 IP address block constraints
  carried as a critical X.509v3 extension in the peer certificate.
  * The ipsec pool --add|del dns|nbns command manages DNS and NBNS
  name server entries that are sent via the IKEv1 Mode Config or
  IKEv2 Configuration Payload to remote clients.
  * The Camellia cipher can be used as an IKEv1 encryption algorithm.
  * The IKEv1 and IKEV2 daemons now check certificate path length
  constraints.
  * The new ipsec.conf conn option "inactivity" closes a CHILD_SA if
  no traffic was sent or received within the given interval. To close
  the complete IKE_SA if its only CHILD_SA was inactive, set the
  global strongswan.conf option "charon.inactivity_close_ike" to yes.
  * More detailed IKEv2 EAP payload information in debug output
  * IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library
  * Added required userland changes for proper SHA256 and SHA384/512
  in ESP that will be introduced with Linux 2.6.33.
  The "sha256"/"sha2_256" keyword now configures the kernel with 128
  bit truncation, not the non-standard 96 bit truncation used by
  previous releases. To use the old 96 bit truncation scheme, the new
  "sha256_96" proposal keyword has been introduced.
  * Fixed IPComp in tunnel mode, stripping out the duplicated outer
  header. This change makes IPcomp tunnel mode connections
  incompatible with previous releases; disable compression on such
  tunnels.
  * Fixed BEET mode connections on recent kernels by installing SAs
  with appropriate traffic selectors, based on a patch by Michael
  Rossberg.
  * Using extensions (such as BEET mode) and crypto algorithms (such
  as twofish, serpent, sha256_96) allocated in the private use space
  now require that we know its meaning, i.e. we are talking to
  strongSwan. Use the new "charon.send_vendor_id" option in
  strongswan.conf to let the remote peer know this is the case.
  * Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where
  the responder omits public key authentication in favor of a mutual
  authentication method. To enable EAP-only authentication, set
  rightauth=eap on the responder to rely only on the MSK constructed
  AUTH payload. This not-yet standardized extension requires the
  strongSwan vendor ID introduced above.
  * The IKEv1 daemon ignores the Juniper SRX notification type 40001,
  thus allowing interoperability.
  * The IKEv1 pluto daemon can now use SQL-based address pools to
  deal out virtual IP addresses as a Mode Config server. The pool
  capability has been migrated from charon's sql plugin to a new
  attr-sql plugin which is loaded by libstrongswan and which can be
  used by both daemons either with a SQLite or MySQL database and the
  corresponding plugin.
  * Plugin names have been streamlined: EAP plugins now have a dash
  after eap (e.g. eap-sim), as it is used with the --enable-eap-sim
  ./configure option.
  Plugin configuration sections in strongswan.conf now use the same
  name as the plugin itself (i.e. with a dash). Make sure to update
  "load" directives and the affected plugin sections in existing
  strongswan.conf files.
  * The private/public key parsing and encoding has been split up
  into separate pkcs1, pgp, pem and dnskey plugins. The public key
  implementation plugins gmp, gcrypt and openssl can all make use
  of them.
  * The EAP-AKA plugin can use different backends for USIM/quintuplet
  calculations, very similar to the EAP-SIM plugin. The existing 3GPP2
  software implementation has been migrated to a separate plugin.
  * The IKEv2 daemon charon gained basic PGP support. It can use
  locally installed peer certificates and can issue signatures based
  on RSA private keys.
  * The new 'ipsec pki' tool provides a set of commands to maintain a
  public key infrastructure. It currently supports operations to
  create RSA and ECDSA private/public keys, calculate fingerprints and
  issue or verify certificates.
  * Charon uses a monotonic time source for statistics and job
  queueing, behaving correctly if the system time changes (e.g. when
  using NTP).
  * In addition to time based rekeying, charon supports IPsec SA
  lifetimes based on processed volume or number of packets.
  They new ipsec.conf paramaters 'lifetime' (an alias to 'keylife'),
  'lifebytes' and 'lifepackets' handle SA timeouts, while the
  parameters 'margintime' (an alias to rekeymargin), 'marginbytes'
  and 'marginpackets' trigger the rekeying before a SA expires.
  The existing parameter 'rekeyfuzz' affects all margins.
  * If no CA/Gateway certificate is specified in the NetworkManager
  plugin, charon uses a set of trusted root certificates preinstalled
  by distributions. The directory containing CA certificates can be
  specified using the --with-nm-ca-dir=path configure option.
  * Fixed the encoding of the Email relative distinguished name in
  left|rightid statements.
  * Fixed the broken parsing of PKCS#7 wrapped certificates by the
  pluto daemon.
  * Fixed smartcard-based authentication in the pluto daemon which
  was broken by the ECDSA support introduced with the 4.3.2 release.
  * A patch contributed by Heiko Hund fixes mixed IPv6 in IPv4 and
  vice versa tunnels established with the IKEv1 pluto daemon.
  * The pluto daemon now uses the libstrongswan x509 plugin for
  certificates and CRls and the struct id type was replaced by
  identification_t used by charon and the libstrongswan library.
- Removed obsolete load_secrets patches

• Files Changed
• Browse Source

converted link to branch

• Files Changed
• Browse Source

- Linked to openSUSE:Factory

• Files Changed
• Browse Source

osc copypac from project:network package:strongswan revision:9

• Browse Source