Upcoming ipsec-tools 0.8.1

  • http://sourceforge.net/mailarchive/forum.php?thread_name=20120829150102.08edec4c%40vostro&forum_name=ipsec-tools-devel

    [Ipsec-tools-devel] time for 0.8.1 ?
    From: Timo Teras <timo.teras@ik…>- 2012-08-23 11:55


    It's been almost 1.5 years since 0.8.0 was released. There's been only
    a handful [see below] of commits to 0.8 branch, but some of them are
    quite essential.

    I'm planning to do 0.8.1 release tarball soon. Please yell if we need
    to cherry-pick more commits, or you have pending things for the


    ChangeLog for the 0.8 branch since 0.8.0 tagging:

    2012-08-23  Timo Teras <timo.teras@…>* src/racoon/crypto_openssl.c: From Nakano Takaharu: Fix bignum
              memory allocation.

    2012-01-01  Timo Teras <timo.teras@...>* src/racoon/isakmp_unity.c: From Rainer Weikusat
              <rweikusat@...>: Fix one byte too short memory
              allocation in isakmp_unity.c:splitnet_list_2str().

    2011-11-17  Yvan Vanhullebus <vanhu@...>* src/racoon/handler.c: fixed some crashes in LIST_FOREACH where
              current element could be removed during the loop

    2011-11-14  Timo Teras <timo.teras@...>* src/libipsec/pfkey.c: From Marcelo Leitner <mleitner@...>:
              do not shrink pfkey socket buffers (if system default is larger than
              what we want as minimum)

    2011-08-12  Timo Teras <timo.teras@...>* src/racoon/privsep.c: Have privilege separation child process
              exit if the parent exits.

    * Makefile.am: Create ChangeLog for proper CVS branch.

    2011-03-18  tag ipsec-tools-0_8_0</timo.teras@...></mleitner@...></timo.teras@...></vanhu@...></rweikusat@...></timo.teras@...></timo.teras@…></timo.teras@ik…>

  • Something seems to be moving afterall in the ipsec-tools front:


    The patches applied since the original mail are:

    2012-08-29  Timo Teras <timo.teras@…>* src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@...>:
              Accept DPD messages with cookies also in reversed order for
              compatiblity. At least Cisco 836 running IOS 12.3(8)T does this.

    * src/racoon/oakley.c: From Roman Hoog Antink <rha@...>: add
              remote's IP address to the "certificate not verified" error message.

    * src/racoon/oakley.c: From Roman Hoog Antink <rha@...>: do not
              print unnecessary warning about non-verified certificate when using
              raw plain-rsa.

    * src/racoon/isakmp.c: From Rainer Weikusat
              <rweikusat@...>: Release unused phase2 of
              passive remotes after acquire.

    * src/racoon/isakmp.c: From Wolfgang Schmieder
              <wolfgang.schmieder@...>: setup phase1 port properly.

    * src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Allow inherited
              remote blocks without additional remote statements to be specified
              in a simpler way. patch by Roman Hoog Antink<rha@...></rha@...></wolfgang.schmieder@...></rweikusat@...></rha@...></rha@...></rha@...></timo.teras@…>

    According to the discussion, there are two last patches to be committed any day now:

    Attached patch is a somewhat smarter X509 subject name compare.
    X509 names may contain entries with different encodings (like UTF-8)
    The old code (some copy from the ancient openssl 0.9.7 release)
    did not handle that.
    The new code does only handle stripping of the wildcards from the name
    and let openssl do the compare of all non wildcard entries…

    And another patch to check that building ipsec-tools is done with a reasonably recent OpenSSL 0.9.7 or newer

Log in to reply