Strongswan merge for Xenial

Mon Jan 25 14:49:44 UTC 2016

On Sun, Jan 24, 2016 at 9:38 PM, Simon Deziel <simon at sdeziel.info> wrote:

> Hi Ryan,
>

Hi Simon,

Thanks for taking a look at this merge.  I really appreciate the help
sorting through this merge.

>
> On 2016-01-22 11:54 AM, Ryan Harper wrote:
> > Hello,
> >
> > I've been working on merging[1] strongswan from Debian into Ubuntu for
> > Xenial.  We've not completed a merge with Debian for some time (Feb 19,
> > 2014 was the last time).  Ubuntu has been using version 5.1.2 since then
> > but Debian and upstream have moved on.  Ubuntu has collected a large
> delta
> > between Debian and with this merge I'm attempting to reduce the delta to
> > ease merging in the future.  In particular, the major change would be to
> > no longer create a package per-plugin and instead use the more general
> > standard/extra plugin packages as in Debian.  Each plugin has an
> > individual conf file which controls settings including whether to load or
> > not.  Currently the default template conf files default to loading
> plugins
> > if present;  it's not clear to me if this is a sensible default or if we
> > should left them off by default.  Note that Strongswan doesn't currently
> > have something akin to apache's a2enmod and a2dismod meaning users will
> > need to edit conf as needed.  During this merge, I've also been using a
> > git-based merge workflow and the git repo tracking it is available
> here[3].
> >
> > Since the delta is large, I want to make sure that we document the
> changes
> > and provide opportunity for users of Strongswan in Ubuntu to provide
> > feedback and comments on this merge.  I've updated the package and placed
> > it in a PPA[2].
>
> Awesome work!
>
> > The remaining work items are:
> >   - Adding in transitional virtual Packages for upgrade from
> 5.1.2-0ubuntu8
> >   - Testing package upgrade
>
> I upgraded one system so far and it went well.
>

OK.  Do you have any of the plugins installed?

>
> >   - Attempting exercise various modes of Strongswan, including the TPM
> >   enablement
> >   - Continue dropping additional delta no longer needed
> >   - Bug fixes (documenting which bugs this merge will resolve)
>
> If you bring in the few changes from [5], almost every bug in LP against
> Strongswan should be addressed.
>

Thanks, I'll go take a look at those changes.

>
> > I also plan to discuss many of the Ubuntu changes with Debian maintainers
> > to see if we can get some of the changes picked up there as well.
>
> I quickly skimmed Debian bugs and some of them could be closed by
> adopting some of the Ubuntu delta:
>
> debian #803787: ntru/bliss support (only ntru is enabled in Ubuntu)
> debian #739641: kernel-libipsec support
>

Great, I'll look at those too.

>
> > Below are some of the various changes between 5.1.2-0ubuntu8 and 5.3.5-1
> > (Debian) release.
> >
> >     - In Debian 5.3.5, there are 9 Packages defined in debian/control,
> > and in
> >     Ubuntu 5.1.2-0ubuntu8 we have 70, mostly due to a binary per plugin
> >     in Ubuntu.
> >
> >     - Ubuntu also enables TNC Client and Server which requires enabling
> >     and packaging different binaries and plugins.
> >     https://wiki.strongswan.org/projects/1/wiki/TNCC
> >
> >     - Ubuntu has AppArmor profiles for some binaries
> >
> >     - Ubuntu updated start/stop scripts to use service instead of
> >     invoke-rc.d (may be moot w.r.t systemd for Ubuntu) Debian builds
> >     pt-tls-client but without TNC (Debian includes it in
> >     libcharon-extra-plugins)
> >
> >     - Ubuntu enables many additional options/features, including TPM
> support
> >     (with-tss=trousers, libtspi-dev) and smartcard access
> (libpcsclite-dev)
> >
> >     - Ubuntu enables (but Debian does not)
> >         unbound
> >         dnscert
> >         ipseckey
> >         coupling
> >         imv-swid
> >         imc-swid
> >         tnc-ifmap
> >         mysql
> >         tnc-pdp
> >         load-tester
> >         whitelist
> >         radattr
> >         ntru
> >         soup
> >         sqlite
> >         md4
> >         eap-*
>
>
> The acert plugin seems to be missing in your refreshed package. It was
> previously enabled in Ubuntu and the provided functionality seems useful
> [6].
>

OK. Will fix.

>
>
> >     - Debian enables (but Ubuntu does not)
> >         ha (needs special kernel as per jpds)
> >
> >     - Builddeps in Debian (but not Ubuntu)
> >         clearsilver-dev
> >         libfcgi-dev
> >
> >     - Other Removals from Debian
> >         *logcheck* files (not relevant to StrongSwan per jpds)
>
> The logcheck files are really dated (see debian #787156) and I've
> accumulated a few rules on my own. Even at the default log level charon
> is very verbose so I think it makes sense to have the package shipping
> logcheck rules. I'd be happy to provided those.
>

Yes please.

>
> >     - Ubuntu builds with nostrip for integrity checking (TPM)
> >
> >     - Ubuntu sets TESTS_REDUCED_KEYLENGTHS to generate smallest length
> key
> >     for tests.
> >
> >
> > Some additional changes which have raised some questions to which I don't
> > know the answer; any input is helpful here.
> >
> >     - Ubuntu drops install of debconf managed
> >     /var/lib/strongswan/ipsec.conf.inc
> >
> >     - Ubuntu force-building dhcp/farp instead of keeping under Linux-only
>
> Debian #640928 says it's to support kFreeBSD. Those plugins require
> CAP_NET_BIND_SERVICE and/or CAP_NET_RAW so maybe that's the explanation?
>

OK, I'll explore.  AFAICT, there's nothing wrong with leaving it how Debian
has it; that is
Ubuntu Linux still builds those packages as they are and dropping this
delta reduces merge burden.

>
> >     - Debian still calls dh_installinit with ipsec vs
> >     strongswan
> >
> >     - dropped Debian's enabling IKEv1 and v2 by default?
>
> Upstream's default when no specific version is configured is to use
> IKEv2 when initiating and accept both when responding.
>

Interesting.  Does that seem reasonable?  I imagine that enabling v1 and v2
means
wider compatibility between client/server?  Is this still worth enabling vs
keeping things
more secure (I'm asserting v2 is likely more robust than v1, hence a
version 2).

>
> >     - Ubuntu systemd file differs from Debian and Upstream.
> >
> >     - Ubuntu disable ha (claim in changelog says requires special kernel)
> >
> >     - Ubuntu disables fastcgi (libfcgi)
> >
> >     - Ubuntu disables clearsilver (as per MIR[4] noted discussion with
> > upstream)
> >
> >
> > Upstream changes in Strongswan since 5.1.2 that have an impact on the
> Ubuntu
> > changes we're carrying.
> >
> >     - libpts dropped in 5.2.1, affects tnc-base
> >
> >     - no updown_espmark, updown manpage
>
> updown_espmark was apparently created to support kernels < 2.6.16.
>
> The updown man page will probably not be missed because the shell script
> is well documented on its own.
>

OK.  Seems like a reasonable drop due to changes upstream.

>
> >     - no openac, replaced with pki --acert command.
> >     https://wiki.strongswan.org/projects/strongswan/wiki/OpenAc
>
> If the acert plugin functionality is restored I believe this would be a
> non issue.
>

Right.

>
> > 1. https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1535951
> > 2. ppa:raharper/merges
> > 3.
> https://code.launchpad.net/~raharper/ubuntu/+source/strongswan/+git/strongswan
> > 4. https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1266066
>
> Regards,
> Simon
>
>
> 5:
>
> https://github.com/simondeziel/ubuntu-strongswan/tree/new/debian_copy_in_old/debian
> 6: https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPkiAcert
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20160125/15c8fb5f/attachment-0001.html>