See also https://libreswan.org/
v3.7 (December 10, 2013)
* SECURITY: CVE-2013-4564 Denial of service via unauth packet [Paul/Hugh]
* SECURITY: fix insecure tmp file in rpm %post - introduced in 3.6 [Tuomo]
* SECURITY: Properly handle IKEv2 I1 notification without KE payload [Paul]
* IKE: aes_gcm and aes_ccm now specify key size without salt [Paul/Hugh]
* NETKEY: Added twofish and serpent as valid ESP algorithms [Paul]
* KLIPS: Fix for crashes in ipsec_xmit_ipip() [Thomas/Roel/David]
* KLIPS: Fix NAT-T (NEED_UDP_ENCAP_ENABLE) for 3.4 kernel [Roel]
* KLIPS: Fix compiling for 3.9 kernels (PDE_DATA fix) [Paul]
* KLIPS: Claim we do namespaces - makes it work on simple host case [Paul]
* IKEv2: Add support for AES-GCM, AES-CCM [Paul/Hugh]
* IKEv2: Check for inbound traffic before sending liveness exchange [Matt]
* IKEv2: Fix some error codes that mistakenly used IKEv1 versions [Paul]
* IKEv2: in R1 don't copy their IKEv2 minor for our reply packet [Paul]
* IKEv2: Don't kill unrelated states on same hash chain in IKE DEL [Hugh]
* pluto: change ipsec_notification_names to ikev[12]_notify_names [Paul]
* pluto: Various cleanup and reducing scope of variables [Hugh]
* building: support for slackware version/init system detection [Roel]
* rsasigkey: Remove spurious debug line confusing ipsec showhostkey [Paul]
(rhbz#1039655)
* initsystems: fix typo in openrc script [Natanael Copa]
* testing: KVM test system updates [Paul]
* secrets: Log glob failing for secrets parser as warning, not error [Paul]
* setup: fix systemd init detection [Tuomo]
* labeled ipsec: Set default value of secctx_attr_value to 32001 [Paul]
(rhbz#923250)
* barf: don't load l2tp kernel modules and use new syntax (rhbz#1033191) [Paul]
* Bugtracker bugs fixed:
#116: Don't load connections when leftcert= cert not found in NSS DB [Matt]
v3.6 (October 30, 2013)
* IKEv2: Fix interoperability bug in SKEYSEED generation [Paul/Hugh/Antony]
* IKEv2: Add liveness checks (a.k.a DPD for IKEv2) [Matt Rogers]
* IKEv2: ikev2=insist allowed ikev1 when acting as responder [Matt Rogers]
* IKEv2: Fix fallback to ikev1 when remote has ikev2=no [Paul]
* IKEv1: Cleanup AGGR Mode VendorID - also send fragmentation vid [Paul]
* IKEv1: Added cisco_unity= (default no) option which sends VID [Paul]
* IKEv1: Fix compatibility with NAT-T and remote_peer_type=cisco [Paul]
* IKEv1: dpdaction=restart_by_peer is now called dpdaction=restart [Paul]
* IKEv1: Added support for modecfgbanner= and modecfgdomain= [Paul]
* IKE: introduce ikepad=yes|no (default yes) for Checkpoint interop [David]
* pluto: work around for Cisco VPN clients sending extraneous bytes [Paul/Hugh]
* pluto: Support for google-authenticator OTP via pam [Paul]
* pluto: fix kernel.c typo in word outgoing [Tuomo]
* pluto: remove dsa/elgamal stubs from gnupg that were unused [Paul]
* pluto: Added per conn priority= to specify kernel IPsec SA priority [Paul]
* keyword: auto=route and ipsec auto --route renamed to "ondemand" [Paul]
* NETKEY/BSD: Added per conn reqid= to specify kernel IPsec SA [Paul]
(based on idea by Panagiotis Tamtamis)
* pluto: %fromcert now works for local certs and those received via IKE [Matt]
* pluto: Allow \\ masking in RDNs similar to ,, [Matt Rogers]
* pluto: merge updateresolvconf/restoreresolv.conf in client-up|down [Paul]
* building: Removed USE_MODP_RFC5114 flag. Support is always added [Paul]
* building: Removed USE_AGGRESSIVE flag. Support is always added [Paul]
* building: Removed USE_XAUTH flag, Support is always added [Paul]
* building: Removed MODECFG* flags, Support is always added [Paul]
* building: Remove blowfish (use twofish instead) [Paul]
* building: Generate Makefile depend files automatically [Tuomo]
* building: Add support for openrc initsystem on Alpine Linux [Paul]
* packaging: spec files now initialise NSS DB when not found [Paul]
* NETKEY: Take protoport= into account when setting IPsec SA priority [Paul]
* NETKEY: Change Update SA to Add SA when existing SA is not found [Mattias]
* NETKEY: Fix Labeled IPsec (broken in openswan 2.6.33) [Paul]
* KLIPS: Support for 3.10+ kernels (/proc use via seq_* functions) [David]
* Changed HAVE_STATSD compile option to statsbin= runtime option [Paul]
* sysvinit: status function used incorrect variable for pid file [Tuomo]
* _stackmanager: coding style cleanup - fixes bashism [Tuomo]
* testing: Various interop test case updates [Paul]
* FIPS: Support versioned hmac files, fips test in non-fips mode [Paul]
* rsasigkey/newhostkey: Keysize for new RSA keys keysize increasd from 2192
to randomised 3072-4096 (in blocks of 16) to fight keysize monoculture [Paul]
* Removed unused and unmaintained USE_TAPROOM functionality [Paul]
* NAT-T: Added 100.64.0.0/10 from RFC 6598 to virtual_private [Paul]
* NSS: pluto should now open NSS files in readwrite, just read [Paul]
* Bugtracker bugs fixed:
#130: debian debuild creates a deb with /usr/libexec contents
[Marc-Christian Petersen]
#145: support old location of /selinux/enforce still in use by CentOS6 [Paul]
v3.5 (July 13, 2013)
* NETKEY: _stackmanager: Clear disable_xfm/disable_policy /proc files
for labeled IPsec [Paul]
* KLIPS: Added support for kernel 3.9.x [Paul/David]
* KLIPS: NATT support for kernel 3.5+ needs udp_encap_enable() [David]
* KLIPS: pointer can look valid during free process [Unknown/David]
* KLIPS: change default for hidetos (quality of service) to yes [Paul]
* KLIPS: preliminary SHA2 family support via OCF/CryptoAPI [David]
* MAST: _stackmanager: bring mast0 up even if module was loaded [neoXite]
* MAST: Add support for IPv6 iptables mangle table in updown.mast [Paul]
* _stackmanager: Move iptables mangle rules to MAST only section [Paul]
* _stackmanager: re-add support for hidetos=, overridemtu= and fragicmp= [Paul]
* _stackmanager: Clear disable_xfm/disable_policy for labeled IPsec [Paul]
* pluto: Fix reading ipsec.secrets without trailing newline [Hugh]
* pluto: 'ipsec status' output changes, added 'config setup' items [Paul]
* pluto: Added config setup, compile paths, runtime info to ipsec status [Paul]
* pluto: removed IKE_ALG and KERNEL_ALG defines [Paul]
* pluto: Simplify Pluto_IsFIPS(), remove redundant log message [Paul]
* pluto: Added Pluto_IsSElinux() to log SElinux runtime status [Paul]
* pluto: Removed unused alg_info parameters permitmann and permitike [Paul]
* pluto: Fix STATE_XAUTH_R0/STATE_XAUTH_R1 state names [Paul]
* pluto: out_modify_previous_np() should allow ISAKMP_NEXT_SIG for RSA [Paul]
* building: cleanup old vars, and allow more env overrides [Paul]
* packaging: Fix systemd script Alias target (rhbz#982166) [Paul]
* newhostkey: help the user when nssdb is not initialized yet [Paul]
* newhostkey: simplify default nss dir handling [Paul]
* lswan_detect: cleanup coding style and fix help for unknown options [Tuomo]
* lswan_detect: add gentoo detection [Tuomo]
* setup: add rhsysv, openrc, and real sysv init support [Tuomo]
* barf: do not cause any iptables modules to get loaded (rhbz#954249) [Paul]
* look: Don't cause loading of iptables kernel modules (rhbz#954249) [Paul]
* FIPS: Remove hardcoded /usr/libexec/ipsec path, use IPSEC_EXECDIR [Paul]
* FIPS: Add warning in ipsec verify for prelink command [Paul]
* testing: Add option for "post" scripts during a test run [Matt Rogers]
* testing: dist_cert support for commands in different path locations [Matt]
* testing: Generate CRL with leading zero byte for testing [Paul]
* Bugtracker bugs fixed:
#82: Phase out DBG_KLIPS/DBG_NETKEY for DBG_KERNEL [Paul]
#96: lswan_detect: Alpine linux compatibility [Tuomo]
#99: NETKEY: Segfault on acquire_netlink with labeled_ipsec [Kim/Tuomo]
#101: restore port when ipsec policy is generated for nat-t [Kim/Tuomo]
#124: pluto: Add usage comment for addresspool.* [Paul]
#126: pluto: nhelpers= does not default to -1 [Paul]
#128: pluto: prevent libcurl sigalarm from crashing pluto (lsbz#128) [Paul]
v3.4 (June 6, 2013)
* Change coding style to Linux kernel [Team]
* IN MEMORIAM: June 3rd, 2013 Hugh Daniel
v3.3 (May 13, 2013)
* SECURITY: atodn() buffer overflow with oe=yes [Florian/Hugh/Paul]
affected: libreswan 3.0 and 3.1 (CVE-2013-2052)
see also: openswan up to 2.6.38 (CVE-2013-2053)
see also: strongswan up to 4.3.4 (CVE-2013-2054)
* security: dn_parse(), hex_str() write beyond end of the buffer [Florian]
* security: get_rnd_bytes: Abort on random number generator failure [Florian]
* security: Integer overflow if the leak detective enabled [Florian]
* security: Check that origin of netlink message is the kernel [Florian]
* security: Abort on crypto failure for 3des/aes to prevent leaks [Florian]
* security: Check PK11_CreateContextBySymKey() for NULL and SECFailure [Paul]
* security: RSA: Check modulus length against key overall length [Florian]
* security: fetch_curl: Set timeout for the entire request [Florian]
* security: Multiple hardening fixes from security audit [Florian Weimar]
* security: Cleanup buffer usage for traffic logging with XAUTH [Hugh]
* security: Cleanup ASN1_BUF_LEN use and remove unused load_host_cert() [Paul]
* security: cleanup CFLAGS handling [Paul]
* security: IKEv2 crashed when using nhelpers=0 [Paul]
* security: Remove stale non-NSS ASN1 handling and pem decryption code [Paul]
* security: Initial loading of file CRL fails for NSS CAs [Matt Rogers]
(rhbz#960171)
* security: Removal of USE_WEAKSTUFF and USE_NOCRYPTO (1DES, modp768) [Paul]
* security: Removal of 1DES for KLIPS using CryptoAPI [Paul]
* security: * security: Cleanup of ASN1_BUF_LEN/BUF_LEN/PATH_MAX defines [Paul]
* pluto: Add support for OID_SHA224_WITH_RSA signatures [Paul]
* pluto: Always list section headers --list* calls, even when empty [Paul]
* X509: Fix for CRL sig failure if first byte is zero [Dhr/Matt/Paul]
(rhbz#958969)
* _stackmanager: fix loading of aes-x86_64 module [Tuomo]
* Bugtracker bugs fixed:
#64: removal of /dev/*random everywhere put feeding nss pools [Paul]
#90: NETKEY: Transport mode inbound eroute was from client [Kim/Tuomo]
#91: SAREF: Patches updated for 3.4.x (tested on 3.4.42) [Andreas Herz]
v3.2 (April 13, 2013)
* addresspool: Identify reconnecting client and re-use lease [Antony]
* IKEv1: Support for sending initial_contact in Main Mode [Paul]
* addconn: improve defaultroute finder [Kim]
* compiling: fix use of variables in buidlsystem consitent [Tuomo]
* ipsec: fix syntax error in --help introduced in 3.1 [Tuomo]
* verify: fix wrong confdir location [Tuomo]
* pluto: cleanup of XAUTHuser and traffic statistics logging [Paul]
* pluto: Obsoleted force_keepalive= and --force_keepalive [Paul]
* pluto: Added per-conn nat_keepalive=yes|no (default yes) [Paul]
* pluto: Log our own vendorid as "received" instead of "ignored" [Paul]
* pluto: Prevent logging from truncating XAUTHuser= [Paul]
* pluto: Don't log (0 byte) SA traffic statistics for ISAKMP SA's [Paul]
* pluto: Some more changes in the output of ipsec auto --status [Paul]
* pluto: wipe old logfile on restart (match previous behaviour) [Antony]
* _stackmanager: When unloading NETKEY, unload ip_vti before xfrm*tunnel [Paul]
* _stackmanager: Stack was not cleaned up for upstart / non-modular [Paul]
* building: Fix warnings when compiling with clang [Florian Weimer]
* building: Add -pie to linker flags, ensure relro is not overwritten [Paul]
* building: fix "make depend" in programs/pluto [Antony]
* packaging: Split RHEL spec file into rhel5/rhel6, add USE_OCF flag [Paul]
* initsystem: fixed default sysv init status function [Tuomo]
* KLIPS: SAref patches for 3.0.55+ and RHEL 2.6.32-358.2.1 [Pavel Kopchyk]
* Bugtracker bugs fixed:
#75: Libreswan inserts wrong xfrm policies on some configurations [Tuomo]
#76: NSS:: ipsec initnss fails with a @FINALCONFDDIR@ replace and
no default configdir [Tuomo]
#78: NSS: segfault on libnss functions when using ikev2 [Antony]
#85: NETKEY: Pass traffic selectors to the kernel in Transport Mode
support was incomplete and broke nat-t trasport mode [Kim/Tuomo]
v3.1 (March 14, 2013)
* XAUTH: Support for leftaddresspool= [Antony]
* XAUTH: Added xauthby=alwaysok option [Paul]
* XAUTH: Added xauthfail=hard|soft option [Paul]
* IKEv1: Support for IKE fragmentation via ike_frag= [Wolfgang/Paul/Hugh]
* IKEv1: Support for removing bogus non-ESP markers [Paul/Hugh]
* NETKEY: Show traffic stats in ipsec auto --status and teardown [Wes/Paul]
* ipsec: Add "ipsec start|stop|restart|status" aliases [Paul]
* testing: Many updates to KVM testing infrastructure [Paul/Antony]
* starter: auto=route and auto=start only performed auto=add [Wolfgang]
* libswan: logging cleanups from openswan 2.5.x era [DHR/Antony/Paul]
* pluto: log XAUTHusername in the "established IPsec SA" line [Paul]
* pluto: Show labeled IPsec information in ipsec auto --status [Paul]
* pluto: Various minor changes to ipsec auto --status output [Paul]
* pluto: Debug logs were not written if a file was specified [Paul/Antony]
* pluto: fix for additional proposal sizes when enabling 1DES [Paul]
* IKEv2: narrowing used a wrong port range in determining bestfit [Coverity]
* IKEv1: Better logging of Vendor IDs in [Paul]
* KLIPS: enable crytoAPI in packaging/makefiles/module.defs [Paul]
* SAREF: patches for Ubuntu kernel 3.2.0-33.52 [Simon]
* libipsecconf: Improved fix for osw#1370 (segfault on no EOL) [Philippe]
* libipsecconf: Forbid rekey=no plus dpdaction=restart(_by_peer) [Paul]
* libipsecconf: crlcheckinterval unit is time, not number [Tuomo]
* libipsecconf: Remove bogus key_from_DNS_on_demand policy for PSK [Paul]
* libipsecconf: Raise POLICY bits from int (32) to lset_t(64) [Paul]
* libipsecconf: sourceip= setting could overwrite nexthop= setting [Paul]
* XAUTH: ModeConfig DNS options only worked via whack, not config file [Paul]
* XAUTH: modecfg_wins[12]= support removed [Paul]
* XAUTH: Use re_entrant versions of localtime_r/gmtime_r [Paul]
* XAUTH: Added threading mutex locks for log functions [Philippe/Paul]
* XAUTH: Added threading mutex locks for crypt() [Philippe]
(crypt_r is not available on all platforms)
* XAUTH: Only try to update resolveconf/restoreconf when XAUTH client [Paul]
* addconn: If no protostack= is configured, return "netkey" as default [Paul]
* addconn: Fix for addconn loading Point-To-Point connections [Kim]
* X509: Initialise libcurl for SSL to support CRLs over HTTPS [Paul]
* X509: Warn 14 days before certificates expire [Tuomo]
* packaging: add /etc/ipsec.d/{crls,cacerts} to rpm spec files [Tuomo]
* packaging: Fixes to spec file, added kmod spec file for KLIPS [Paul]
* compiling: added -pthread to CFLAGS [Tuomo]
* _plutorun: pass all command line options to pluto [Tuomo]
* _updown: Various fixes for klips/netkey version [Tuomo/Antony]
* X509: Reintroduced lock_certs_and_keys()/unlock_certs_and_keys() [Paul]
* initsystem: change sysv initscripts to use new _plutorun interface [Tuomo]
* DPD: Don't try to delete non-events [Paul]
* Bugtracker bugs fixed:
#8 honour compress=no option [Matt Rogers]
#50 It is assumed ipsec.conf lives in the same dir as rc.d/init.d [Tuomo]
#53 ipsec auto --status does not show phase2 parameters when using
(unspecified) defaults? [Matt Rogers]
#71 Libreswan pre-3.1 git version breaks on-demand ipv6 tunneling [Tuomo]
v3.0 (January 02, 2013)
* FORK: Rename from Openswan to Libreswan [Team]
(for older CHANGES see docs/CHANGES.openswan)
* FORK: Changed our VendorID prefix to "OEN" [Team]
* LICENSE: Updated FSF address on the GPLv2 COPYING file [Team]
* TRADEMARK: Give everyone unlimitel eternal royalty-free license to
use the name "libreswan" to refer to this software and website [Team]
* NSS: is now mandatory - custom crypto code removed [Paul]
* NSS: Support reading NSS password from file [Avesh]
* NSS: Added "ipsec initnss" and "ipsec import" commands [Paul]
* NSS: We need to include nsperror.h for PR_GetError() [Paul]
* NSS: PK11_DigestFinal() passed sizeof pointer instead of passing
sizeof *pointer [Paul]
* NSS: use pkg-config to find the right cflags and libs [Paul]
* DNS: Removed LWRES code and old static ISC libraries [Paul]
* DNS: Don't attempt to resolve numerical sourceip= values [Paul]
* DNS: starter and pluto now support USE_DNSSEC using libunbound [Paul]
* OE: Removed support for old KEY and TXT DNS records [Paul]
* OE: Add support for IPSECKEY in ipsec showhostkey [Paul]
* pluto: --config <fn> uses libipsecconf to read 'config setup' [Kim B. Heino]
* pluto: left=%defaultroute now obtains src ip from routing table [Kim B. Heino]
* pluto: Removed support for non-strict ike/esp lines [Paul]
* pluto: UDPFROMTO support was not enabled for NETKEY if not also build
with KLIPS [Paul]
* pluto: Pass traffic selectors to the kernel in Transport Mode [Avesh]
(rhbz#831669)
* pluto: Fix phase confusion in xauth/modeconfig [Avesh]
* pluto: Added new option plutostderrlogtime= (default=no) [Paul]
* pluto: Additional safety checks to strncat() calls for addrtot(),
inet_addrtot(), sin_addrtot(), alg_info_snprint_esp(),
alg_info_snprint_ah(), idtoa() and format_end() [Paul]
* pluto: Removed unused OCSP code [Paul]
* pluto: Add Linux audit support via USE_LINUX_AUDIT (incomplete) [Paul/Antony]
* pluto: crlcheckinterval did not interpret plain numbers as seconds [Philippe]
* pluto: Change ft_mbz to ft_zig - Don't error on "must be zero" but instead
"zero ignore". This works around an Android ICS/racoon bug [Paul]
* pluto: Update known vendorids [Paul]
* pluto: phased out HAVE_THREADS, pluto/pam now thread-safe [Philippe/Paul]
* pluto: Fixed IPSEC_CONFDDIR handling which broke NSS in tests [Paul]
* pluto: obsoleted prepluto= postpluto= plutoopts= config setup options [Paul]
* pluto: obsoleted plutowait= and pluto= config setup option [Paul]
* pluto: obsoleted nocrsend= option removed (use leftsendcert=) [Paul]
* pluto: removed manual keying remnants [Paul]
* pluto: remove protostack=auto and --use-auto, netkey is new default [Paul]
* pluto: Added perpeerlog=yes|no and perpeerlogdir=/var/log [Paul]
* pluto: Added retransmits=yes|no (matches pluto --noretransmits) [Paul]
* pluto: Added plutofork=yes|no to match pluto --nofork [Paul]
* pluto: added ikeport= and nat_ikeport= options, and --natikeport [Paul]
* pluto: support for secretsfile= and ipsecdir= in ipsec.conf [Paul]
* pluto: remove old unsused USE_IPSECPOLICY code [Paul]
* pluto: rhbz#609343: pluto crashes when removing logical interface [Avesh]
* pluto: dont stop processing after --coredir argument [Paul]
* pluto: perform whack --listen and addconn --autoall on startup [Paul]
* pluto: honour plutostderrlog= natively now _plutorun is gone
This also adds a new option --logfile to the pluto daemon [Paul]
* pluto: if started with --nofork, don't care about existing pid file [Paul]
* pluto: incorrect free in scan_proc_shunts() [Roel van Meer]
* pluto: eclipsed() was broken since freeswan-2.02 [Philippe]
* _plutoload: obsoleted [Kim/Paul]
* auto: no longer pass defaultroute/defaultrouteaddr to addconn [Paul]
* whack: fix handling --sha2_truncbug and --nm_configured options [Paul]
* whack: don't try to write to closed stdout tty [Philippe]
* DPD: reduce flood of DPD messages with unexpected seqno [Andrey Alexandrenko]
* DPD: We did not send DPD VID in aggressive mode with NAT-T disabled
* DPD: dpdaction=restart can cause full phase1 timeout after DPD
(rhbz#848132) [Avesh]
* PAM: updated contrib/pam.d/pluto (rhbz#815127) [Philippe Vouters]
* PAM: move pam out of contrib, and install config when HAVE_XAUTHPAM [Paul]
* IKEv1: In aggresive mode: allow ISAKMP_NEXT_CR ISAKMP_NEXT_CERT as
payloads [Philippe]
* IKEv1: aggressive mode sometimes picked wrong RSA/PSK conn [Philippe]
* IKEv1: Simplify outgoing NAT-T proposals, fix logging [Paul]
* XAUTH: Support for runtime choice of xauthby=<pam|file> [Philippe]
* XAUTH: Support for Mutual RSA + XAuth (interop with Shrew Soft) [Philippe]
* XAUTH: Fixed updown to remove ModeCfg (cisco) obtained sourceip [Avesh/Tuomo]
* XAUTH: Do not redo xauth/modecfg during rekey to cisco [Avesh]
* XAUTH: Use incoming XAUTH VID when picking best connection [Philippe]
* XAUTH: pam was failing when built with USE_LIBCAP_NG=true [Philippe Vouters]
* XAUTH: Fixup of defines [Paul/Philippe]
* XAUTH: Don't use XAUTH VID to put conn in policy XAUTH [Andrey Alexandrenko]
* XAUTH: Fix XAUTH TYPE handling and logging [Philippe]
* IKEv2: Comply to RFC's for "must be zero" to ignore instead of abort [Paul]
(rhbz#831669)
* IKEv2: road warrior support [Antony/Paul/Avesh]
* IKEv2: narrowing code extended to cover ports,protocol,subnets [Antony/Paul]
* Only set MODP768_MODULUS with USE_VERYWEAK_DH1 [Paul]
* NETKEY: ignore interfaces= line for NETKEY [Paul]
* NETKEY: Fix for three AES-GCM issues with key lengths 128, 192, 256 bits
and IV of 8, 12, 16 bytes as per RFC 4106 [Avesh]
* NETKEY: Labeled IPsec updates [Avesh]
* NETKEY: Support for SHA384/SHA512 and integ(ikev2) in ESP [Avesh]
* NETKEY: In _updown.netkey, insert route on correct interface when nexthop
is used [Tuomo]
* NETKEY: Revert "Always use XFRM_MSG_UPDPOLICY instead of XFRM_MSG_NEWPOLICY"
This caused module unload issues and XFRM_MSG_REPLACE errors [Paul]
* KLIPS: Removed support for Linux < 2.4.4 [Paul]
* KLIPS: Changed _startklips to use ip route instead of netstat [Harald]
* KLIPS: misc. fixes, mostly satot() related [David]
* KLIPS: 20% speed gain on transmitting packets [David]
* MAST: Fixed _updown.mast missing incomplete if-clause [Harald]
* SAREF: kernel patches updated to linux 3.2.0 [Simon Deziel]
* addconn: mimic _plutoload, cleanup and fixup of functions [Paul]
* scripts: Support /etc/sysconfig/ipsec and /etc/default/ipsec (rhbz#789917)
* _stackmanager: new script replacing _startnetkey/_startklips [Paul]
* barf: do not grep lastlog, wtmp, tmp (rhbz#771612) [Paul]
* verify: ported ipsec verify from perl to python [Paul]
* verify: check ipsec.conf, ipsec.secrets syntax [Paul]
* verify: warn on newly obsoleted keywords [Paul]
* auto: fix --status output for vnet/vhost case [Ani]
* copyright: Removed obsoleted/unmaintained "ipsec copyright" command [Paul]
* showdefaults: removed ipsec showdefaults [Paul]
* _include: Removed obsolete _include program [Paul]
* policy: Removed broken 'ipsec policy' [Paul]
* mailkey: Removed obsolete command. Was already not build or installed [Paul]
* scripts: phased out /var/run/pluto/ipsec.info [Paul]
* OSX: Set __APPLE_USE_RFC_3542 required for udpfromto functionality [Paul]
* DOCS: Add man page leftid= note on Cisco ID_KEY_ID Group Name [Philippe]
* liblibreswan: Remove unused optionsfrom() temp file handling [Paul]
* liblibreswan: Support comma's inside OID's by using ",," to mean ","
inside the OID (rhbz#868986) [Matt Rogers]
* initsystems: Native support for systemd, upstart and sysvinit [Paul/Wes]
* testing: Ported broken UML harness to KVM/libvirt/9p [Paul/Antony]
(see the wiki on libreswan.org for details on how to use it)
* packaging: Updated libreswan.spec to reflect updated options [Paul]
* packaging: /usr/lib{64}/ipsec is no longer used [Paul]
* manpages: Build during build phase, not during install phase [Wes]
* compiling: Update standard compile options to be more hardened [Paul]
* Bugtracker bugs fixed:
#7 after 'make install' - check if the service is enabled
or not and notify the user [Wes]
#9 install /etc/pam.d/pluto if USE_XAUTH=true [Wes]
#25 addconn behaves differently from whack regarding case [Paul]
#33 warn on /usr/local install with selinux enabled [Wes]
#40 ensure make install checks and restorecon's SElinux policies [Wes]
osw#993 ipsec showhostkey: wrong kind of key PPK_XAUTH [Philippe Vouters]
osw#1308 forceencaps= setting does now show up in "ipsec auto --status"
[Matt Rogers]
osw#1329 IKEv2 core dumps on 2.6.32 with changes backported from the 2.6.38
tree [Steve Lanser]
osw#1334 Block rules created by openswan remain even after tunnel
establishment or XFRM_MSG_POLEXPIRE [Panagiotis Tamtamis]
osw#1349 pluto logging no subjectAltName matches ID '%fromcert', replaced
by subject DN [Tuomo]
osw#1359 Openswan L2TP and IPhone vpn connection [Paul]
osw#1370 Segfault on no new line at the end of ipsec.conf [Wes]
osw#1375 ipsec verify uses perl, should use python [Paul]
osw#1381 XAuth: the variable PLUTO_XAUTH_USERNAME is empty in the updown
script [Bram]
osw#1384 confusing output from ipsec auto --status [Bram]
For older changes, see docs/CHANGES.openswan
