[Openswan dev] Openswan patches for better rpm and OCSP support

Sun Dec 4 10:00:42 CET 2005

On Fri, 2 Dec 2005, Alain RICHARD wrote:

> I have submitted a bug report and the corresponding patch report for some
> issues in openswan 2.4.4.

Thank you. I noticed the bug report, and I do intend to fix some of the issues
you reported.

> - the rpm spec file is missing folders needed for x509 support
> (/etc/ipsec.d/{aacerts,cacerts,certs,crls,ocspcerts,private})

Not all of those are supported by the X.509 patch that is included in openswan,
but you are right that we could create those directories.

> - OCSP support is not correctly built because pluto makefile is missing some
> definitions

You mean the ones listed below? ldap, curl and threads? Or is there more?

> - the rpm spec file do not ask for LDAP, CURL and THREADS support that are
> needed for OCSP support. As the Redhat and Fedora projects addressed by this
> spec file do support all theses three functionalities, I have enabled them per
> default.

The reason those are not enabled by default is that pluto is not thread safe,
and we do not wish to enable threads on pluto when it is not needed.
(on a Makefile level, they are not enabled per default also because some embedded
 Linux machines do not support threading at all)

> - openswan may be built with some weak stuff (as far as security is concerned)
> : DH group 1, Single DES and Null ESP encryption. Per default theses
> functionnalities are not built, but there is a flag (USE_WEAKSTUFF) that
> currently enables DH1 and you may add #defines to built the other two
> functionnalities. I propose that USE_WEAKSTUFF cover also the built of 1DES
> and NULL_ESP.

1DES and NULL_ESP is not weak, it is not real. It is further enabled by setting
the USE_NOCRYPTO flags to signify that you know you are running with "no
cryptography". We firmly believe 1DES to be equal to "no cryptography".
Therefor we do wish to make such false security easilly available to people.

> - per default the rpm spec file do not enables the WEAKSTUFF. I have added a
> define that enables to build a rpm with the WEAKSTUFF enabled using "rpmbuild
> -ta --define useweakstuff=true openswan-xxx.tar.gz". This do not change the
> fact that openswan per default do not support theses weak stuff, but enables
> persons who need them (and there are cases where this is really needed) to use
> them (and in fact this is already possible as the source code support it).

We prefer to not encourage the use of either DH1 or 1DES. Every day that passes,
they become even weaker. Especially people who will use recompiled rpms with
this, thereby being large deployers of this need, should really migrate their
systems to add real crypto. I will talk with the other developers, but I don't
think we will want to facilitate easy access to these options.

> I have also looked at the OCSP support and it seams that it is not completly
> working yet. This code is old and have some bugs that where corrected in the
> strongswan project.
>
> I am investigating theses problems and I would like to know if there is any
> particular reasons for openswan beeing not more in sync with the strongswan
> project ?

We did not have the resources for pulling up the X.509 changes made by Andreas.

> Is somebody working in merging more strongswan functionnalities
> (like CRL caching and CA Management) ?

Not at this point. If someone has an intested in this, please contact me off list.
Ofcourse, anyone is welcome to submit patches for this.

> Also the documentation of the
> StrongSwan project is more complete than the one in openswan, is there any
> reasons not to include it ?

I have not looked at the changes. README.x509 is included with Openswan. I have
not read the updates to Andreas his documentation. Some of it does not apply due
to code changes. For example Openswan always uses strict mode, where Andreas is
using the !-symbol to denote strict mode. There might be other changes. So it
is not just a 'download and put in openswan-2/doc/ issue.

> If there is nobody working on it and if Andreas is OK, I may spent some time
> to port more stuff from Andreas' project to openswan.

Sure, we'd welcome patches.

Paul