|
version 1.1.1.1, 2020/06/03 09:46:43
|
version 1.1.1.2, 2021/03/17 00:20:08
|
|
Line 1
|
Line 1
|
| |
strongswan-5.9.2 |
| |
---------------- |
| |
|
| |
- Together with a Linux 5.8 kernel supporting the IMA measurement of the GRUB |
| |
bootloader and the Linux kernel, the strongSwan Attestation IMC allows to do |
| |
remote attestation of the complete boot phase. A recent TPM 2.0 device with a |
| |
SHA-256 PCR bank is required, so that both BIOS and IMA file measurements are |
| |
based on SHA-256 hashes. |
| |
|
| |
- Our own TLS library (libtls) that we use for TLS-based EAP methods and PT-TLS |
| |
gained experimental support for TLS 1.3. Thanks to Méline Sieber (client) and |
| |
Pascal Knecht (client and server) for their work on this. |
| |
Because the use of TLS 1.3 with these EAP methods is not yet standardized (two |
| |
Internet-Drafts are being worked on), the default maximum version is currently |
| |
set to TLS 1.2, which is now also the default minimum version. However the TNC |
| |
test scenarios using PT-TLS transport already use TLS 1.3. |
| |
|
| |
- Other improvements for libtls also affect older TLS versions. For instance, we |
| |
added support for ECDH with Curve25519/448 (DH groups may also be configured |
| |
now), for EdDSA keys and certificates and for RSA-PSS signatures. Support for |
| |
old and weak cipher suites has been removed (e.g. with 3DES and MD5) as well |
| |
as signature schemes with SHA-1. |
| |
|
| |
- The listener_t::ike_update event is now also called for MOBIKE updates. Its |
| |
signature has changed so we only have to call it once if both addresses/ports |
| |
have changed (e.g. for an address family switch). The event is now also |
| |
exposed via vici. |
| |
|
| |
- The farp plugin has been ported to macOS and FreeBSD. Thanks to Dan James for |
| |
working on this. |
| |
|
| |
- To fix DNS server installation with systemd-resolved, charon-nm now creates a |
| |
dummy TUN device again (was removed with 5.5.1). |
| |
|
| |
- The botan plugin can use rng_t implementations provided by other plugins when |
| |
generating keys etc. if the Botan library supports it. |
| |
|
| |
- charon-tkm now supports multiple CAs and is configured via vici/swanctl. |
| |
|
| |
- Simple glob patterns (e.g. include conf.d/*.conf) now also work on Windows. |
| |
Handling of forward slashes in paths on Windows has also been improved. |
| |
|
| |
- The abbreviations for the 'surname' and 'serial number' RDNs in ASN.1 DNs have |
| |
been changed to align with RFC 4519: The abbreviation for 'surname' is now |
| |
"SN" (was "S" before), which was previously used for 'serial number' that can |
| |
now be specified as "serialNumber" only. |
| |
|
| |
- An issue with Windows clients requesting previous IPv6 but not IPv4 virtual |
| |
IP addresses has been fixed. |
| |
|
| |
- ike_sa_manager_t: Checking out IKE_SAs by config is now atomic (e.g. when |
| |
acquires for different children of the same connection arrive concurrently). |
| |
The checkout_new() method has been renamed to create_new(). A new |
| |
checkout_new() method allows registering a new IKE_SA with the manager before |
| |
checking it in, so jobs can be queued without losing them as they can block |
| |
on checking out the new SA. |
| |
|
| |
|
| |
strongswan-5.9.1 |
| |
---------------- |
| |
|
| |
- Remote attestation via TNC supports the SHA-256 based TPM 2.0 BIOS/EFI |
| |
measurements introduced with the Linux 5.4 kernel. |
| |
|
| |
- Nonces in OCSP responses are not enforced anymore and only validated if a |
| |
nonce is actually contained. |
| |
|
| |
- Fixed an issue when only some fragments of a retransmitted IKEv2 message were |
| |
received, which prevented processing a following fragmented message. |
| |
|
| |
- All queued vici messages are now sent to subscribed clients during shutdown, |
| |
which includes ike/child-updown events triggered when all SAs are deleted. |
| |
|
| |
- CHILD_SA IP addresses are updated before installation to allow MOBIKE updates |
| |
while retransmitting a CREATE_CHILD_SA request. |
| |
|
| |
- When looking for a route to the peer, the kernel-netlink plugin ignores the |
| |
current source address if it's deprecated. |
| |
|
| |
- The file and syslog loggers support logging the log level of each message |
| |
after the subsystem (e.g. [IKE2]). |
| |
|
| |
- charon-nm is now properly terminated during system shutdown. |
| |
|
| |
- Improved support for EdDSA keys in vici/swanctl, in particular, encrypted |
| |
keys are now supported. |
| |
|
| |
- A new global strongswan.conf option allows sending the Cisco FlexVPN vendor ID |
| |
to prevent Cisco devices from narrowing a 0.0.0.0/0 traffic selector. |
| |
|
| |
- The openssl plugin accepts CRLs issued by non-CA certificates if they contain |
| |
the cRLSign keyUsage flag (the x509 plugin already does this since 4.5.1). |
| |
|
| |
- Attributes in PKCS#7 containers, as used in SCEP, are now properly |
| |
DER-encoded, i.e. sorted. |
| |
|
| |
- The load-tester plugin now supports virtual IPv6 addresses and IPv6 source |
| |
address pools. |
| |
|
| |
|
| |
strongswan-5.9.0 |
| |
---------------- |
| |
|
| |
- We prefer AEAD algorithms for ESP and therefore put AES-GCM in a default AEAD |
| |
proposal in front of the previous default proposal. |
| |
|
| |
- The NM backend now clears cached credentials when disconnecting, has DPD and |
| |
and close action set to restart, and supports custom remote TS via 'remote-ts' |
| |
option (no GUI support). |
| |
|
| |
- The pkcs11 plugin falls back to software hashing for PKCS#1v1.5 RSA signatures |
| |
if mechanisms with hashing (e.g. CKM_SHA256_RSA_PKCS) are not supported. |
| |
|
| |
- The owner/group of log files is now set so the daemon can reopen them if the |
| |
config is reloaded and it doesn't run as root. |
| |
|
| |
- The wolfssl plugin (with wolfSSL 4.4.0+) supports x448 DH and Ed448 keys. |
| |
|
| |
- The vici plugin stores all CA certificates in one location, which avoids |
| |
issues with unloading authority sections or clearing all credentials. |
| |
|
| |
- When unloading a vici connection with start_action=start, any related IKE_SAs |
| |
without children are now terminated (including those in CONNECTING state). |
| |
|
| |
- The hashtable implementation has been changed so it maintains insertion order. |
| |
This was mainly done so the vici plugin can store its connections in a |
| |
hashtable, which makes managing high numbers of connections faster. |
| |
|
| |
- The default maximum size for vici messages (512 KiB) can now be changed via |
| |
VICI_MESSAGE_SIZE_MAX compile option. |
| |
|
| |
- The charon.check_current_path option allows forcing a DPD exchange to check if |
| |
the current path still works whenever interface/address-changes are detected. |
| |
|
| |
- It's possible to use clocks other than CLOCK_MONOTONIC (e.g. CLOCK_BOOTTIME) |
| |
via TIME_CLOCK_ID compile option if clock_gettime() is available and |
| |
pthread_condattr_setclock() supports that clock. |
| |
|
| |
- Test cases and functions can now be filtered when running the unit tests. |
| |
|
| |
|
| strongswan-5.8.4 |
strongswan-5.8.4 |
| ---------------- |
---------------- |
| |
|
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to NEWS CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan