[17:12] <threads9000_> Hello, I'd like to request a Stable Release Update for Ubuntu 16.04 regarding the following issue:
[17:12] <threads9000_> https://wiki.strongswan.org/issues/2126
[17:12] <threads9000_> https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients#IKEv2-on-iOS-9-and-iOS-10
[17:12] <threads9000_> https://github.com/trailofbits/algo/issues/430
[17:13] <threads9000_> tl;dr strongSwan 5.3.5 has a serious bug with all iOS and macOS clients on IPSEC VPNs. The issue can be fixed by upgrading to strongSwan 5.5.1 which is available on Ubuntu 17.04.
[17:14] <bdmurray> threads9000_: Have you see http://wiki.ubuntu.com/StableReleaseUpdates? It documents the process / criteria.
[17:18] <threads9000_> Yes, the issue is fixed in the current release (17.04 / 5.5.1). I have tested the fix and it works (see trailofbits/algo for an easy method to test).
[17:20] <threads9000_> I am not aware of any regressions based on an upgrade of strongswan 5.3.5 to 5.5.1. I'm even able to use the exact same ipsec.conf file without modification.
[17:20] <threads9000_> I'm here to ask the Ubuntu bug control team to nominate this package for an SRU.
[17:25] <teward> we don't nominate bugs for SRU necessarily; we can put the bug task to a given release, but the SRU nomination process isn't necessarily nomination by us.
[17:25] <teward> (us being bug control)
[17:29] <threads9000_> I filed a bug for this issue: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1687711
[17:29] <ubot5`> Ubuntu bug 1687711 in strongswan (Ubuntu) "strongSwan 5.3.5 has a known incompatibility with iOS/macOS 10+" [Undecided,New]
[17:32] <teward> have you tried backporting the software version to 16.04 and confirmed it works as expected?
[17:32] <teward> and by 'backporting' i mean built the software on Xenial, tested, confirmed it works, etc.
[17:33] <threads9000_> I maintain this open source project (https://github.com/trailofbits/algo) though I'm not a developer. Several of Algo's users have done that and it works for them. I haven't personally tried.
[17:52] <threads9000_> I'll poke a few people that I think can further test this with backported packages on 16.04 and ask them to add comments to the ticket.
[17:54] <threads9000_> What is the typical uptake rate for SRUs (SRUs pushed vs filed/requested), and how long does it typically take to issue one?
[17:58] <teward> "It Varies" is the answer to both questions, I believe.
[17:58] <threads9000_> There's a second packaging issue with Network Manager too... but I'll get to that later. Basically, Network Manager does not support the AES-GCM cipher suite for IKE connections because it was not packaged with strongswan's openssl plugin. Therefore, it is limited to AES-CBC, an unauthenticated cipher mode that has resulted a a number of interesting
[17:58] <threads9000_> cryptographic attacks over the last ~3 years or so.
[17:59] <threads9000_> Ok, well, beyond having someone add to that ticket and say "I built strongSwan 5.5.1 on Ubuntu 16.04 and it works fine, etc." what else is required to get this moving?