rpms / libreswan

Clone
Source Code
GIT

Files

el6 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 main rawhide
  1.   f29
  2.   libreswan-3.23-crypto-policies.patch
Blob Blame History Raw 
diff --git a/lib/libipsecconf/parser.l b/lib/libipsecconf/parser.l
index c41dd8048..cc2faf5c9 100644
--- a/lib/libipsecconf/parser.l
+++ b/lib/libipsecconf/parser.l
@@ -160,7 +160,9 @@ static int parser_y_nextglobfile(struct ic_inputsource *iis)
 		char ebuf[128];
 
 		snprintf(ebuf, sizeof(ebuf),
-			"cannot open include filename: '%s': %s",
+			(strstr(iis->filename, "crypto-policies/back-ends/libreswan.config") == NULL) ?
+				"cannot open include filename: '%s': %s" :
+				"ignored loading default system-wide crypto-policies file '%s': %s",
 			iis->fileglob.gl_pathv[fcnt],
 			strerror(errno));
 		yyerror(ebuf);
diff --git a/programs/configs/ipsec.conf.in b/programs/configs/ipsec.conf.in
index 7374efc3c..974699f01 100644
--- a/programs/configs/ipsec.conf.in
+++ b/programs/configs/ipsec.conf.in
@@ -1,27 +1,18 @@
 # @FINALCONFDIR@/ipsec.conf - Libreswan IPsec configuration file
 #
-# Manual:     ipsec.conf.5
+# see 'man ipsec.conf' and 'man pluto' for more information
+#
+# For example configurations and documentation, see https://libreswan.org/wiki/
 
 config setup
-	# Normally, pluto logs via syslog. If you want to log to a file,
-	# specify below or to disable logging, eg for embedded systems, use
-	# the file name /dev/null
-	# Note: SElinux policies might prevent pluto writing to a log file at
-	#       an unusual location.
+	# Normally, pluto logs via syslog.
 	#logfile=/var/log/pluto.log
 	#
 	# Do not enable debug options to debug configuration issues!
 	#
-	# plutodebug "all", "none" or a combation from below:
-	# "raw crypt parsing emitting control controlmore kernel pfkey
-	#  natt x509 dpd dns oppo oppoinfo private".
-	# Note: "private" is not included with "all", as it can show confidential
-	#       information. It must be specifically specified
-	# examples:
 	# plutodebug="control parsing"
 	# plutodebug="all crypt"
-	# Again: only enable plutodebug when asked by a developer
-	#plutodebug=none
+	plutodebug=none
 	#
 	# NAT-TRAVERSAL support
 	# exclude networks used on server side by adding %v4:!a.b.c.0/24
@@ -30,10 +21,8 @@ config setup
 	# This range has never been announced via BGP (at least up to 2015)
 	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
 
-# For example connections, see your distribution's documentation directory,
-# or https://libreswan.org/wiki/
-#
-# There is also a lot of information in the manual page, "man ipsec.conf"
-#
+# if it exists, include system wide crypto-policy defaults
+include /etc/crypto-policies/back-ends/libreswan.config
+
 # It is best to add your IPsec connections as separate files in @IPSEC_CONFDDIR@/
 include @IPSEC_CONFDDIR@/*.conf
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.