<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; "><BR><DIV><DIV>Le 4 déc. 05 à 10:00, Paul Wouters a écrit :</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">On Fri, 2 Dec 2005, Alain RICHARD wrote:</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">I have submitted a bug report and the corresponding patch report for some</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">issues in openswan 2.4.4.</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Thank you. I noticed the bug report, and I do intend to fix some of the issues</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">you reported.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">- the rpm spec file is missing folders needed for x509 support</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">(/etc/ipsec.d/{aacerts,cacerts,certs,crls,ocspcerts,private})</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Not all of those are supported by the X.509 patch that is included in openswan,</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">but you are right that we could create those directories.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV>yes currently some of them are not fully implemented (for example aacerts), but they are all references during ipsec startup (you'll gain warning about theses not existing during ipsec startup) and they are also references by some commands (ipsec auto --listaacerts|--rereadaacerts|--listocspcerts ...). So I think it is simpler to just create them.</DIV><DIV> <BR><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "></DIV> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">- OCSP support is not correctly built because pluto makefile is missing some</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">definitions</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">You mean the ones listed below? ldap, curl and threads? Or is there more?</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV>In order to get the oscp code being compiled, you need ldap, curl and threads support, but also all the oscp code is commented by</DIV><DIV>#ifdef HAVE_OCSP instructions, so you need to define HAV_EOCSP in order to get oscp support compiled in. The simplest solution</DIV><DIV>I have found is to add -DHAVE_OCSP to the X509_DEFS line in programs/pluto/Makefile. I have also found a little error in this file where X509_DEFS is defined twice. So I have made this little patch :</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>--- openswan-2.4.4.orig/programs/pluto/Makefile 2005-08-12 03:12:38.000000000 +0200</DIV><DIV>+++ openswan-2.4.4/programs/pluto/Makefile 2005-11-29 11:11:21.000000000 +0100</DIV><DIV>@@ -150,8 +150,7 @@</DIV><DIV> SMARTCARD_DIST_SRCS=smartcard.c smartcard.h </DIV><DIV> X509_OBJS=${X509_DIST_OBJS}</DIV><DIV> X509_SRCS=${X509_DIST_SRCS}</DIV><DIV>-X509_DEFS=-DX509 </DIV><DIV>-X509_DEFS=-DX509_VERSION=\"${X509_VERSION}\"</DIV><DIV>+X509_DEFS=-DX509_VERSION=\"${X509_VERSION}\" -DHAVE_OCSP</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>#ifdef HAVE_OCSP code where added when OCSP support was first added. In my opinion, it is not needed any longer (and was remove from strongswan for example). So an other solution is simply to remove the #ifdef statments :</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>macagr:~/Desktop/openswan-2.4.5dr3 arichard$ find . -type f | xargs grep HAVE_OCSP</DIV><DIV>./programs/pluto/plutomain.c:#ifdef HAVE_OCSP</DIV><DIV>./programs/pluto/rcv_whack.c:#ifdef HAVE_OCSP</DIV><DIV>./programs/pluto/rcv_whack.c:#ifdef HAVE_OCSP</DIV><DIV><BR><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "></DIV> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">- the rpm spec file do not ask for LDAP, CURL and THREADS support that are</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">needed for OCSP support. As the Redhat and Fedora projects addressed by this</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">spec file do support all theses three functionalities, I have enabled them per</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">default.</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">The reason those are not enabled by default is that pluto is not thread safe,</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">and we do not wish to enable threads on pluto when it is not needed.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">(on a Makefile level, they are not enabled per default also because some embedded</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN class="Apple-converted-space"> </SPAN>Linux machines do not support threading at all)</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV>I well now that openswan is used in other embeded projects, but theses projets do not use (as far as I know) the rpm spec file. The rpm spec file is int the packaging/redhat folder and is here to build rpm distributions file for redhat, fedora and all redhat derived distributions. As far as I know, all theses plateforms support LDAP, CURL and THREADS.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Also note that THREAD support is only used during the fetching of OCSP certs and CRL. And there are only used if you enable it in the config file (using ipsec.conf crlcheckinterval). So I propose to enable it on the spec file only, like the patch submitted.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "></DIV> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">- openswan may be built with some weak stuff (as far as security is concerned)</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">: DH group 1, Single DES and Null ESP encryption. Per default theses</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">functionnalities are not built, but there is a flag (USE_WEAKSTUFF) that</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">currently enables DH1 and you may add #defines to built the other two</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">functionnalities. I propose that USE_WEAKSTUFF cover also the built of 1DES</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">and NULL_ESP.</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">1DES and NULL_ESP is not weak, it is not real. It is further enabled by setting</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">the USE_NOCRYPTO flags to signify that you know you are running with "no</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">cryptography". We firmly believe 1DES to be equal to "no cryptography".</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Therefor we do wish to make such false security easilly available to people.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">- per default the rpm spec file do not enables the WEAKSTUFF. I have added a</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">define that enables to build a rpm with the WEAKSTUFF enabled using "rpmbuild</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">-ta --define useweakstuff=true openswan-xxx.tar.gz". This do not change the</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">fact that openswan per default do not support theses weak stuff, but enables</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">persons who need them (and there are cases where this is really needed) to use</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">them (and in fact this is already possible as the source code support it).</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">We prefer to not encourage the use of either DH1 or 1DES. Every day that passes,</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">they become even weaker. Especially people who will use recompiled rpms with</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">this, thereby being large deployers of this need, should really migrate their</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">systems to add real crypto. I will talk with the other developers, but I don't</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">think we will want to facilitate easy access to these options.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV>I have made some search in the code and found no references to USE_NOCRYPTO flag.</DIV><DIV>Sometimes it is necessary to have access to such functionnalities :</DIV><DIV>- 1DES and/or DH1 for compatibility purpose</DIV><DIV>- NULL_ESP for legality reasons (sometimes you are not allowed to use cryptography and currently AH is not any longer supported in openswan). An other use of NULL_ESP is when you use ipsec uppon an already encrypted layer (like Wifi WPA2) and have ipsec harware that do not support full speed encryption (Wifi is up to 25 Mbit per seconds currently).</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I do understand that you don't want this to be enabled per default in openswan, but the code currently support it and there is a lot of extra warning issued during negociation of such functionnalities.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>People needing such weak stuff is always able to enable it by recompilation. They just spent some time to found how to do it in openswan (and writing on the various support lists).</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Perhaps we should add a new ipsec.conf option "inowiamsillyusingthisweakstuffbutiwantit=true" ? Or we should completly remove this support from the source code ?</DIV><DIV><BR><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "></DIV> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">I have also looked at the OCSP support and it seams that it is not completly</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">working yet. This code is old and have some bugs that where corrected in the</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">strongswan project.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">I am investigating theses problems and I would like to know if there is any</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">particular reasons for openswan beeing not more in sync with the strongswan</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">project ?</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">We did not have the resources for pulling up the X.509 changes made by Andreas.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Is somebody working in merging more strongswan functionnalities</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">(like CRL caching and CA Management) ?</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Not at this point. If someone has an intested in this, please contact me off list.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Ofcourse, anyone is welcome to submit patches for this.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV>I do need the CRL and OCSP support and I am proposing to add support for it to openswan. Looking at the list, I have also found other people that are needing it also.</DIV><DIV><BR><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "></DIV> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Also the documentation of the</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">StrongSwan project is more complete than the one in openswan, is there any</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">reasons not to include it ?</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">I have not looked at the changes. README.x509 is included with Openswan. I have</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">not read the updates to Andreas his documentation. Some of it does not apply due</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">to code changes. For example Openswan always uses strict mode, where Andreas is</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">using the !-symbol to denote strict mode. There might be other changes. So it</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">is not just a 'download and put in openswan-2/doc/ issue.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV>the README.x509 is very usefull and should probably be included in the default openswan rpm package (currently it is only put in the openswan-doc package). Also the strongswan projet have a very complete ipsec_auto man page with all the options for certificates handling.</DIV><DIV><BR><BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "></DIV> <BLOCKQUOTE type="cite"><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">If there is nobody working on it and if Andreas is OK, I may spent some time</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">to port more stuff from Andreas' project to openswan.</DIV> </BLOCKQUOTE><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Sure, we'd welcome patches.</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Paul</DIV> </BLOCKQUOTE></DIV><DIV><BR class="khtml-block-placeholder"></DIV>If Andreas is agree, I will submet some patches.<DIV><BR class="khtml-block-placeholder"></DIV><DIV>Regards,</DIV><DIV><BR><DIV> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">--<SPAN class="Apple-converted-space"> </SPAN></FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">Alain RICHARD <<A href="mailto:alain.richard@equation.fr">mailto:alain.richard@equation.fr</A>></FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">EQUATION SA <<A href="http://www.equation.fr/">http://www.equation.fr/</A>></FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">Tel : +33 477 79 48 00<SPAN class="Apple-converted-space"><SPAN class="Apple-converted-tab"> </SPAN> </SPAN>Fax : +33 477 79 48 01</FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Helvetica" size="3" style="font: 12.0px Helvetica">Applications client/serveur, ingénierie réseau et Linux</FONT></P> </DIV><BR></DIV></BODY></HTML>