<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; "><DIV>I have submitted a bug report and the corresponding patch report for some issues in openswan 2.4.4.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>The addressed issues are :</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>- the rpm spec file is missing folders needed for x509 support (/etc/ipsec.d/{aacerts,cacerts,certs,crls,ocspcerts,private})</DIV><DIV>- OCSP support is not correctly built because pluto makefile is missing some definitions</DIV><DIV>- the rpm spec file do not ask for LDAP, CURL and THREADS support that are needed for OCSP support. As the Redhat and Fedora projects addressed by this spec file do support all theses three functionalities, I have enabled them per default.</DIV><DIV>- openswan may be built with some weak stuff (as far as security is concerned) : DH group 1, Single DES and Null ESP encryption. Per default theses functionnalities are not built, but there is a flag (USE_WEAKSTUFF) that currently enables DH1 and you may add #defines to built the other two functionnalities. I propose that USE_WEAKSTUFF cover also the built of 1DES and NULL_ESP.</DIV><DIV>- per default the rpm spec file do not enables the WEAKSTUFF. I have added a define that enables to build a rpm with the WEAKSTUFF enabled using "rpmbuild -ta --define useweakstuff=true openswan-xxx.tar.gz". This do not change the fact that openswan per default do not support theses weak stuff, but enables persons who need them (and there are cases where this is really needed) to use them (and in fact this is already possible as the source code support it).</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>You'll find the corresponding description and patch here :</DIV><DIV><BR class="khtml-block-placeholder"></DIV><A href="http://bugs.xelerance.com/view.php?id=526">http://bugs.xelerance.com/view.php?id=526</A><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I have also looked at the OCSP support and it seams that it is not completly working yet. This code is old and have some bugs that where corrected in the strongswan project.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I am investigating theses problems and I would like to know if there is any particular reasons for openswan beeing not more in sync with the strongswan project ? Is somebody working in merging more strongswan functionnalities (like CRL caching and CA Management) ? Also the documentation of the StrongSwan project is more complete than the one in openswan, is there any reasons not to include it ? </DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>If there is nobody working on it and if Andreas is OK, I may spent some time to port more stuff from Andreas' project to openswan.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Regards,</DIV><DIV> <BR><DIV> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">--<SPAN class="Apple-converted-space"> </SPAN></FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">Alain RICHARD <mailto:alain.richard@equation.fr></FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">EQUATION SA <http://www.equation.fr/></FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">Tel : +33 477 79 48 00<SPAN class="Apple-converted-space"><SPAN class="Apple-converted-tab"> </SPAN> </SPAN>Fax : +33 477 79 48 01</FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">Applications client/serveur, ingénierie réseau et Linux</FONT></P> </DIV><BR></DIV></BODY></HTML>