=== daniel is now known as Guest47234 | ||
=== Guest47234 is now known as Odd_Bloke | ||
threads9000_ | Hello, I'd like to request a Stable Release Update for Ubuntu 16.04 regarding the following issue: | 17:12 |
---|---|---|
threads9000_ | https://wiki.strongswan.org/issues/2126 | 17:12 |
threads9000_ | https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients#IKEv2-on-iOS-9-and-iOS-10 | 17:12 |
threads9000_ | https://github.com/trailofbits/algo/issues/430 | 17:12 |
threads9000_ | tl;dr strongSwan 5.3.5 has a serious bug with all iOS and macOS clients on IPSEC VPNs. The issue can be fixed by upgrading to strongSwan 5.5.1 which is available on Ubuntu 17.04. | 17:13 |
bdmurray | threads9000_: Have you see http://wiki.ubuntu.com/StableReleaseUpdates? It documents the process / criteria. | 17:14 |
threads9000_ | Yes, the issue is fixed in the current release (17.04 / 5.5.1). I have tested the fix and it works (see trailofbits/algo for an easy method to test). | 17:18 |
threads9000_ | I am not aware of any regressions based on an upgrade of strongswan 5.3.5 to 5.5.1. I'm even able to use the exact same ipsec.conf file without modification. | 17:20 |
threads9000_ | I'm here to ask the Ubuntu bug control team to nominate this package for an SRU. | 17:20 |
teward | we don't nominate bugs for SRU necessarily; we can put the bug task to a given release, but the SRU nomination process isn't necessarily nomination by us. | 17:25 |
teward | (us being bug control) | 17:25 |
threads9000_ | I filed a bug for this issue: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711 | 17:29 |
ubot5` | Ubuntu bug 1687711 in strongswan (Ubuntu) "strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+" [Undecided,New] | 17:29 |
teward | have you tried backporting the software version to 16.04 and confirmed it works as expected? | 17:32 |
teward | and by 'backporting' i mean built the software on Xenial, tested, confirmed it works, etc. | 17:32 |
threads9000_ | I maintain this open source project (https://github.com/trailofbits/algo) though I'm not a developer. Several of Algo's users have done that and it works for them. I haven't personally tried. | 17:33 |
threads9000_ | I'll poke a few people that I think can further test this with backported packages on 16.04 and ask them to add comments to the ticket. | 17:52 |
threads9000_ | What is the typical uptake rate for SRUs (SRUs pushed vs filed/requested), and how long does it typically take to issue one? | 17:54 |
teward | "It Varies" is the answer to both questions, I believe. | 17:58 |
threads9000_ | There's a second packaging issue with Network Manager too... but I'll get to that later. Basically, Network Manager does not support the AES-GCM cipher suite for IKE connections because it was not packaged with strongswan's openssl plugin. Therefore, it is limited to AES-CBC, an unauthenticated cipher mode that has resulted a a number of interesting | 17:58 |
threads9000_ | cryptographic attacks over the last ~3 years or so. | 17:58 |
threads9000_ | Ok, well, beyond having someone add to that ticket and say "I built strongSwan 5.5.1 on Ubuntu 16.04 and it works fine, etc." what else is required to get this moving? | 17:59 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!