Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 25 Aug 2016 17:23:16 +0300
From:      abi <abi@abinet.ru>
To:        freebsd-ports@freebsd.org
Subject:   libressl and strongswan
Message-ID:  <20160825172316.2e04f55c3a6066d3661c0eab@abinet.ru>

next in thread | raw e-mail | index | archive | help
After I recompiled my ports with libressl support (openntpd asked for it), I have an issue with security/strongswan
Or 2 issues, actually:
Aug 25 17:14:59 sphinx charon: 00[LIB] plugin 'openssl' failed to load: /usr/local/lib/ipsec/plugins/libstrongswan-openssl.so: Undefined symbol "CMS_RecipientInfo_ktri_get0_signer_id"
Aug 25 17:14:59 sphinx charon: 05[IKE] configured DH group MODP_3072 not supported

I tried different DH groups without any success, so I suppose strongswan is broken.
I read UPDATING and applied https://raw.githubusercontent.com/HardenedBSD/hardenedbsd-ports/c2091a265c9c78401cd1f4135de97590c8e7c454/security/strongswan/files/patch-src_libstrongswan_plugins_openssl_openssl__plugin.c

No effect at all. Any workarounds or confirmation?


Aug 25 17:14:59 sphinx charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, FreeBSD 11.0-RC1, amd64)
Aug 25 17:14:59 sphinx charon: 00[LIB] plugin 'openssl' failed to load: /usr/local/lib/ipsec/plugins/libstrongswan-openssl.so: Undefined symbol "CMS_RecipientInfo_ktri_get0_signer_id"
Aug 25 17:14:59 sphinx charon: 00[NET] could not open socket: Address family not supported by protocol family
Aug 25 17:14:59 sphinx charon: 00[NET] could not open IPv6 socket, IPv6 disabled
Aug 25 17:14:59 sphinx charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Aug 25 17:14:59 sphinx charon: 00[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders
Aug 25 17:14:59 sphinx charon: 00[CFG]   loading ca certificate from '/usr/local/etc/ipsec.d/cacerts/ipsec-ca-cert.pem' failed
Aug 25 17:14:59 sphinx charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Aug 25 17:14:59 sphinx charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Aug 25 17:14:59 sphinx charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Aug 25 17:14:59 sphinx charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Aug 25 17:14:59 sphinx charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Aug 25 17:14:59 sphinx charon: 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 4 builders
Aug 25 17:14:59 sphinx charon: 00[CFG]   loading private key from '/usr/local/etc/ipsec.d/private/ipsec-sphinx-key.pem' failed
Aug 25 17:14:59 sphinx charon: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap whitelist addrblock
Aug 25 17:14:59 sphinx charon: 00[JOB] spawning 16 worker threads
Aug 25 17:14:59 sphinx ipsec_starter[96396]: charon (96397) started after 20 ms
Aug 25 17:14:59 sphinx charon: 01[CFG] received stroke: add connection 'abinet'
Aug 25 17:14:59 sphinx charon: 01[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
Aug 25 17:14:59 sphinx charon: 01[CFG]   loading certificate from 'ipsec-sphinx-cert.pem' failed
Aug 25 17:14:59 sphinx charon: 01[CFG] added configuration 'abinet'
Aug 25 17:14:59 sphinx charon: 05[CFG] received stroke: initiate 'abinet'
Aug 25 17:14:59 sphinx charon: 05[IKE] initiating IKE_SA abinet[1] to xxxxxxxxxxxxxxxx
Aug 25 17:14:59 sphinx charon: 05[IKE] configured DH group MODP_3072 not supported
Aug 25 17:14:59 sphinx charon: 05[MGR] tried to checkin and delete nonexisting IKE_SA


-- 
abi <abi@abinet.ru>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160825172316.2e04f55c3a6066d3661c0eab>