Red Hat ENTERPRISE LINUX 5.5 - TECHNICAL NOTES Manual page 209

Updated openswan packages that fix an issue with NSS passwords being logged at run time are now
available.
Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange
(IKE) for Linux. IPsec uses strong cryptography to provide both authentication and encryption
services. These services allow you to build secure tunnels through untrusted networks. Everything
passing through the untrusted net is encrypted by the IPsec gateway machine and decrypted by the
gateway at the other end of the tunnel. The resulting tunnel is a virtual private network, or VPN.
These packages contain the daemons and userland tools for setting up openswan. They support the
NETKEY/XFRM IPsec stack in the default Linux kernel. The openswan 2.6.x-series also supports
IKEv2 as described in RFC 4309.
This update addresses the following issue:
* when an NSS database is created with a password (either in FIPS or non-FIPS mode), access to a
private key (associated with a certificate or a raw public key) requires authentication. At authentication
time, openswan passes the database password to NSS. Previously, when this happened, openswan
also logged the password to /var/log/secure. The password could also be seen by running "ipsec barf".
With this update, openswan still passes the database password at authentication time but no longer
logs it in any fashion. (BZ#557688
All openswan users are advised to upgrade to these updated packages, which resolve this issue.
1.146.2. RHBA-2009:1612: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata
RHBA-2009:1612
Updated openswan packages that fix an issue and enable Openswan to pass the TAHI test suite for
HMAC-SHA1-96 support are now available.
Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange
(IKE) for Linux. IPsec uses strong cryptography to provide both authentication and encryption
services. These services allow you to build secure tunnels through untrusted networks. Everything
passing through the untrusted net is encrypted by the IPsec gateway machine and decrypted by the
gateway at the other end of the tunnel. The resulting tunnel is a virtual private network, or VPN.
These packages contain the daemons and userland tools for setting up Openswan. They support the
NETKEY/XFRM IPsec stack in the default Linux kernel. The Openswan 2.6.x-series also supports
IKEv2 as described in RFC 4309.
The TAHI Project IPv6 Ready Test Suite, Phase 2, includes an IKE version 2 test category. Support for
the HMAC-SHA1-96 message digest algorithm is required by this category and, previously, Openswan
did not include such support. With this update, HMAC-SHA1-96 supported has been added to the
openswan package. (BZ#533883
1639
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=557688
1641
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=533883
1639
)
1640
1641
)
RHBA-2009:1612: bug fix update
199