RFC 8247 demoted it to SHOULD NOT. This might break connections with
Windows clients unless they are configured to use a stronger group or
matching weak proposals are configured explicitly on the server.
References #2427.
The MySQL client doesn't like overlapping queries on the same
connection, so we make sure to destroy the enumerator used to check for
an existing pool before deleting it when --replace is used.
This is not ideal as the call to C_Finalize() should be the last one via
the PKCS#11 API. Since the order in which jobs are canceled is undefined
we can't be sure there is no other thread still using the library (it could
even be the canceled job that still handles a previous slot event).
According to PKCS#11 the behavior of C_Finalize() is undefined while other
threads still make calls over the API.
However, canceling the thread, as done previously, could also be problematic
as PKCS#11 libraries could hold locks while in the C_WaitForSlotEvent() call,
which might not get released properly when the thread is just canceled,
and which then might cause later calls to other API functions to block.
Fixes#2437.
If enabled, add the RADIUS Class attributes received in Access-Accept messages
to RADIUS accounting messages as suggested by RFC 2865 section 5.25.
Fixes#2451.
We do something similar in reestablish() for break-before-make reauth.
If we don't abort we'd be sending an IKE_AUTH without any TS payloads.
References #2430.
The fix for gperf in 0ae19f0ced added the generated header to
EXTRA_DIST but that's already added to the distribution because it is
contained in *_SOURCES, what was not added, though, was the .h.in file.
Also fixes the reference to the header file in the .c rule here and for
stroke in out-of-tree builds.
Fixes: 0ae19f0ced ("configure: Fix gperf length parameter determination")
This can happen if a stream is used blocking exclusively (the FD is
never registered with watcher, but is removed in the stream's destructor
just in case it ever was - doing this conditionally would require an
additional flag in streams). There may be no thread reading from
the read end of the notify pipe (e.g. in starter), causing the write
to the notify pipe to block after it's full. Anyway, doing a relatively
expensive FD update is unnecessary if there were no changes.
Fixes#1453.
This allows systemd socket activation by passing URIs such as systemd://foo
to plugins such as VICI.
For example setting charon.plugins.vici.socket = systemd://vici, a
systemd socket file descriptor with the name "vici" will be picked up.
So these would be the corresponding unit options:
[Socket]
FileDescriptorName=vici
Service=strongswan.service
ListenStream=/run/charon.vici
The implementation currently is very basic and right now only the first
file descriptor for a particular identifier is picked up if there are
multiple socket units with the same FileDescriptorName.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Closesstrongswan/strongswan#79.
Just rely on the default proposals by charon if nothing is defined. The
hard-coded IKE proposal used curve25519, which depends on an optional
plugin (while enabled by default it might still not be loaded, or, like
on Debian, shipped in an optional package). With charon's default
proposal only loaded algorithms are proposed for IKE avoiding this issue.
With OpenSSL 1.1.0 the library is now named libcrypto too on Windows.
Check for libeay32 first so we don't link against the build environment's
version of OpenSSL instead of the native one that might be available.
The order of arguments in X509_CRL_get0_signature() is not the same as that
of X509_get0_signature().
Fixes: 989ba4b6cd ("openssl: Update CRL API to OpenSSL 1.1.0")
gperf is not actually a build dependency as the generated files are
shipped in the tarball. So the type depends on the gperf version on
the host that ran gperf and created the tarball, which might not be
the same as that on the actual build host, and gperf might not even
be installed there, leaving the type undetermined.
Fixes: e0e4322973 ("configure: Detect type of length parameter for gperf generated function")
It seems that there is a race, at least in 10.13, that lets
if_indextoname() fail for the new TUN device. So we delay the call a bit,
which seems to "fix" the issue. It's strange anyway that the previous
delay was only applied when an iface entry was already found.
Tobias Brunner