[Openswan dev] Openswan patches for better rpm and OCSP support

Alain RICHARD alain.richard at equation.fr
Fri Dec 2 12:24:45 CET 2005 

I have submitted a bug report and the corresponding patch report for  
some issues in openswan 2.4.4.

The addressed issues are :

- the rpm spec file is missing folders needed for x509 support (/etc/ 
ipsec.d/{aacerts,cacerts,certs,crls,ocspcerts,private})
- OCSP support is not correctly built because pluto makefile is  
missing some definitions
- the rpm spec file do not ask for LDAP, CURL and THREADS support  
that are needed for OCSP support. As the Redhat and Fedora projects  
addressed by this spec file do support all theses three  
functionalities, I have enabled them per default.
- openswan may be built with some weak stuff (as far as security is  
concerned) : DH group 1, Single DES and Null ESP encryption. Per  
default theses functionnalities are not built, but there is a flag  
(USE_WEAKSTUFF) that currently enables DH1 and you may add #defines  
to built the other two functionnalities. I propose that USE_WEAKSTUFF  
cover also the built of 1DES and NULL_ESP.
- per default the rpm spec file do not enables the WEAKSTUFF. I have  
added a define that enables to build a rpm with the WEAKSTUFF enabled  
using "rpmbuild -ta --define useweakstuff=true openswan-xxx.tar.gz".  
This do not change the fact that openswan per default do not support  
theses weak stuff, but enables persons who need them (and there are  
cases where this is really needed) to use them (and in fact this is  
already possible as the source code support it).

You'll find the corresponding description and patch here :

http://bugs.xelerance.com/view.php?id=526

I have also looked at the OCSP support and it seams that it is not  
completly working yet. This code is old and have some bugs that where  
corrected in the strongswan project.

I am investigating theses problems and I would like to know if there  
is any particular reasons for openswan beeing not more in sync with  
the strongswan project ? Is somebody working in merging more  
strongswan functionnalities (like CRL caching and CA Management) ?  
Also the documentation of the StrongSwan project is more complete  
than the one in openswan, is there any reasons not to include it ?

If there is nobody working on it and if Andreas is OK, I may spent  
some time to port more stuff from Andreas' project to openswan.

Regards,

-- 
Alain RICHARD <mailto:alain.richard at equation.fr>
EQUATION SA <http://www.equation.fr/>
Tel : +33 477 79 48 00     Fax : +33 477 79 48 01
Applications client/serveur, ingénierie réseau et Linux

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/dev/attachments/20051202/23201f37/attachment.htm

More information about the Dev mailing list