[Openswan Users]
ANNOUNCE: x509-1.5.1 patch for freeswan-2.04 released
Andreas Steffen
andreas.steffen at strongsec.net
Sun Feb 8 11:31:13 CET 2004
Version 1.5.1 of the X.509 patch for FreeS/WAN 2.04 fully integrates
Mathieu Lafon's support of notification messages. I made some slight
changes which allows Pluto to send and receive informational messages
in *encrypted* form at the earliest possible moment, i.e. shortly
after the DH secret of IKE Main Mode has been established. This is
in accordance with RFC 2408 ISAKMP:
If the Informational Exchange occurs prior to the exchange of keying
meterial during an ISAKMP Phase 1 negotiation, there will be no
protection provided for the Informational Exchange. Once keying
material has been exchanged or an ISAKMP SA has been established, the
Informational Exchange *MUST* be transmitted under the protection
provided by the keying material or the ISAKMP SA.
This new approach gets rid of the two warnings typical of the original
Notify patch that
- either an encrypted informational message was not accepted because
the ISAKMP SA hasn't been established yet on the receiving side
- or that the informational message should have been encrypted because
the receiving side has already established the ISAKMP SA but the peer
hasn't yet.
The new release of the X.509 patch can be downloaded from
http://www.strongsec.com/freeswan/
Kind regards
Andreas
=======================================================================
Andreas Steffen e-mail: andreas.steffen at strongsec.com
strongSec GmbH home: http://www.strongsec.com
Alter Zürichweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
More information about the Users
mailing list