Bug 439985
Summary: | opeswan IKEv2 responder fails when encr=aes and dh=modp1024 | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | IBM Bug Proxy <bugproxy> | ||||||
Component: | openswan | Assignee: | Paul Wouters <pwouters> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Martin Jenner <mjenner> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | urgent | ||||||||
Version: | 5.2 | CC: | herbert.xu, jhrozek, lwang, pwouters, sconklin, tgraf | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | All | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | RHBA-2008-0395 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2008-05-21 15:29:07 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 253764 | ||||||||
Attachments: |
|
Description
IBM Bug Proxy
2008-04-01 08:24:38 UTC
Created attachment 299867 [details]
log from eal5 (initiator)
Created attachment 299868 [details]
log from elm3a58 (responder)
Thank you for this bug report. You are right. We will address this issue openswan-2.6.11-1.el5 was built to resolve this problem. I don't think 2.6.11 will address this issue? Since we do not yet have the aes-XXX in our proposals (to suggest or accept) ------- Comment From tchicks.com 2008-04-09 18:06 EDT------- I just ran the test again with 2.6.11 and it doesn't address this bug. aes-*-modp1024 has been added to the default responder policy database in 2.6.12, which we will release shortly. That should resolve this item. http://www.openswan.org/download/development/openswan-2.6.12.tar.gz http://www.openswan.org/download/development/openswan-2.6.12.tar.gz.asc From the CHANGES file: v2.6.12 * Add aes-*-modp1024 proposals to default responder policy db [antony] This is bug https://bugzilla.redhat.com/show_bug.cgi?id=439985 * Fix for ikev1 continuation segfault (only the first helper's continuations were cleaned up properly (eg. on dpd, sa expires..) [Anthony Tong] * Redid fix for leftsourceip/rightsourceip getting deleted [paul] This is bug https://bugzilla.redhat.com/show_bug.cgi?id=432821 * As per RFC 4309, use modp2048 as default for PSK with IKEv2 [paul] Relates to https://bugzilla.redhat.com/show_bug.cgi?id=441588 * Added workaround for INITIATOR/RESPONDER keys being swapped [herbert] * Preliminary work to support IKEv2_ENCR_AES_CCM__* algos [paul] * modprobe the AES ccm kernel module on startup [paul] openswan-2.6.12-1.el5 was built to address this problem. ------- Comment From tchicks.com 2008-04-22 19:04 EDT------- I have verified that openswan-2.6.12 fixes this bug. ------- Comment From tchicks.com 2008-04-30 16:10 EDT------- I verified this bug fix in openswan-2.6.12-2.el5 (snapshot #7) between an i386 and a ppc machine. Thanks Paul! An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0395.html |