Upcoming ipsec-tools 0.8.1
-
[Ipsec-tools-devel] time for 0.8.1 ?
From: Timo Teras <timo.teras@ik…>- 2012-08-23 11:55Hi,
It's been almost 1.5 years since 0.8.0 was released. There's been only
a handful [see below] of commits to 0.8 branch, but some of them are
quite essential.I'm planning to do 0.8.1 release tarball soon. Please yell if we need
to cherry-pick more commits, or you have pending things for the
0_8-branch.Thanks,
TimoChangeLog for the 0.8 branch since 0.8.0 tagging:
2012-08-23 Timo Teras <timo.teras@…>* src/racoon/crypto_openssl.c: From Nakano Takaharu: Fix bignum
memory allocation.2012-01-01 Timo Teras <timo.teras@...>* src/racoon/isakmp_unity.c: From Rainer Weikusat
<rweikusat@...>: Fix one byte too short memory
allocation in isakmp_unity.c:splitnet_list_2str().2011-11-17 Yvan Vanhullebus <vanhu@...>* src/racoon/handler.c: fixed some crashes in LIST_FOREACH where
current element could be removed during the loop2011-11-14 Timo Teras <timo.teras@...>* src/libipsec/pfkey.c: From Marcelo Leitner <mleitner@...>:
do not shrink pfkey socket buffers (if system default is larger than
what we want as minimum)2011-08-12 Timo Teras <timo.teras@...>* src/racoon/privsep.c: Have privilege separation child process
exit if the parent exits.* Makefile.am: Create ChangeLog for proper CVS branch.
2011-03-18 tag ipsec-tools-0_8_0</timo.teras@...></mleitner@...></timo.teras@...></vanhu@...></rweikusat@...></timo.teras@...></timo.teras@…></timo.teras@ik…>
-
Something seems to be moving afterall in the ipsec-tools front:
The patches applied since the original mail are:
2012-08-29 Timo Teras <timo.teras@…>* src/racoon/isakmp_inf.c: From Roman Hoog Antink <rha@...>:
Accept DPD messages with cookies also in reversed order for
compatiblity. At least Cisco 836 running IOS 12.3(8)T does this.* src/racoon/oakley.c: From Roman Hoog Antink <rha@...>: add
remote's IP address to the "certificate not verified" error message.* src/racoon/oakley.c: From Roman Hoog Antink <rha@...>: do not
print unnecessary warning about non-verified certificate when using
raw plain-rsa.* src/racoon/isakmp.c: From Rainer Weikusat
<rweikusat@...>: Release unused phase2 of
passive remotes after acquire.* src/racoon/isakmp.c: From Wolfgang Schmieder
<wolfgang.schmieder@...>: setup phase1 port properly.* src/racoon/: cfparse.y, cftoken.l, racoon.conf.5: Allow inherited
remote blocks without additional remote statements to be specified
in a simpler way. patch by Roman Hoog Antink<rha@...></rha@...></wolfgang.schmieder@...></rweikusat@...></rha@...></rha@...></rha@...></timo.teras@…>According to the discussion, there are two last patches to be committed any day now:
Attached patch is a somewhat smarter X509 subject name compare.
X509 names may contain entries with different encodings (like UTF-8)
The old code (some copy from the ancient openssl 0.9.7 release)
did not handle that.
The new code does only handle stripping of the wildcards from the name
and let openssl do the compare of all non wildcard entries…And another patch to check that building ipsec-tools is done with a reasonably recent OpenSSL 0.9.7 or newer