[Pkg-openssl-devel] Bug#1110055: libssl3t64: Upgrade of libssl3t64 breaks strongswan
Marc F. Clemente
marc at mclemente.net
Tue Jul 29 22:15:26 BST 2025
On 7/28/25 11:34 PM, Chris Hofstaedtler wrote:
> reopen 1109942
> affects 1110055 strongswan-charon
> thanks
>
> On Mon, Jul 28, 2025 at 05:30:00PM -0500, Marc Clemente wrote:
>> Upgrading libssl3t64 from 3.5.0-2 to 3.5.1-1 breaks strongswan (6.0.1-6). This is reproduced on armel and armhf architectures. I was unable to reproduce it on amd64.
>>
>> root at raspberry:~# dpkg -l | grep libssl3t64
>> ii libssl3t64:armhf 3.5.1-1 armhf Secure Sockets Layer toolkit - shared libraries
>> root at raspberry:~# swanctl -i -c chronos
> [..]
>> [IKE] local host is behind NAT, sending keep alives
>> [IKE] KDF_PRF with PRF_HMAC_SHA2_256 not supported
>> [IKE] key derivation failed
>> initiate failed: establishing CHILD_SA 'chronos' failed
>
> This is probably #1109942, which was closed, but has relevant info.
> Maybe you can take a look at that too.
Yes. Same thing. I don't know how the original submitter of #1109942
solved their problem.
I solved mine by downgrading libssl3t64.
I was also able to replicate the problem on amd64.
Also, if libstrongswan-extra-plugins is installed, then this "bug" does
not manifest itself. So that's another workaround.
Upgrading strongswan to 6.0.2 is not an option at this time (not
available on the repository).
More information about the Pkg-openssl-devel
mailing list