Description of problem: rebase OpenSwan in RHEL 5.9 with all fixes to the oepnswan bugs listed in Bug 573526 - (USGv6Cert) [RHEL6 DoC] USGv6 Certification. Version-Release number of selected component (if applicable): RHEL 6.1 to be rebased for RHEL 5.9 How reproducible: n/a Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Bug BZ#768442 is dependent on following kernel bug: https://bugzilla.redhat.com/show_bug.cgi?id=768460 If the above fix is not there in 5.9 kernel, that means you cant you sha2_truncbug=yes, so just remove this from the ipsec conf file and it should work.
Ok, that helps, but like this the test is passing also with old version of openswan. So it seems it is not testing what it suppose to.
I think I see the point now (as it is described here https://bugzilla.redhat.com/show_bug.cgi?id=768442#c10), the test is failing/passing because the bug fix requires not only fix on openswan but also in kernel, which is missing. Moreover, the openswan part is optional and can be switched on/off with sha2_truncbug.
Avesh, recently we found out that there is also a problem with Bug 768162. Its fix is "backported" to RHEL5.9 build as well. Please recall [1] that this bug contained two issues: 1. openswan generated a KE payload with 1 less byte occasionally. This issue is correctly resolved in openswan-2.6.32-4.el5 2. openswan generated DH shared key that was 1 byte short because nss did not add leading zero bytes when needed Unfortunately this problems is still present on rhel5.9 (with openswan-2.6.32-4.el5) because nss is not fixed on rhel5.9 (Bug 855809). So, how to handle this? If nss will no be fixed (and it might be already too late), I suggest to add a technical note that the second part of Bug 768162 is still present. Is there any workaround for it (I do not see any)? [1] https://bugzilla.redhat.com/show_bug.cgi?id=768162#c36
(In reply to comment #8) > Avesh, recently we found out that there is also a problem with Bug 768162. > Its fix is "backported" to RHEL5.9 build as well. Please recall [1] that > this bug contained two issues: > > 1. openswan generated a KE payload with 1 less byte occasionally. > > This issue is correctly resolved in openswan-2.6.32-4.el5 > > 2. openswan generated DH shared key that was 1 byte short because nss did > not add leading zero bytes when needed > > Unfortunately this problems is still present on rhel5.9 (with > openswan-2.6.32-4.el5) because nss is not fixed on rhel5.9 (Bug 855809). > > So, how to handle this? If nss will no be fixed (and it might be already too > late), I suggest to add a technical note that the second part of Bug 768162 > is still present. Is there any workaround for it (I do not see any)? I am OK with adding a technical note about it. However, I am just thinking if some customer looks at it and wonder why it has not been fixed. Yes, even I do not know any work around. > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=768162#c36
(In reply to comment #9) > (In reply to comment #8) Hi Avesh, shouldn't there be a technical note also for missing kernel fix that you mentioned in comment#5? I think it is the same issue, i.e. a missing bug fix of other component on which the openswan fix depends.
(In reply to comment #10) > (In reply to comment #9) > > (In reply to comment #8) > > Hi Avesh, > shouldn't there be a technical note also for missing kernel fix that you > mentioned in comment#5? I think it is the same issue, i.e. a missing bug fix > of other component on which the openswan fix depends. Yes right I agree with you, and a note saying something like that sha2_truncbug is not supported on 5.9, simply because kernel support for this does not exist.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0077.html