+strongswan-5.9.14
+-----------------
+
+- Support for the IKEv2 OCSP extensions (RFC 4806) has been added, which allows
+ peers to request and send OCSP responses directly in IKEv2.
+
+- Validation of X.509 name constraints in the constraints plugin has been
+ refactored to align with RFC 5280.
+
+- The dhcp plugin has been ported to FreeBSD/macOS.
+
+- The openssl plugin is now compatible with AWS-LC.
+
+- Overflows of unique identifiers (e.g. Netlink sequence numbers or reqids) are
+ now handled gracefully.
+
+- Updated the pkcs11.h header based on the latest OpenSC version in order to
+ include new algorithm and struct definitions for the pkcs11 plugin.
+ Added support for PSS padding in smartcard-based RSA signatures using either
+ on-chip or external data hashing.
+
+- Added keyid and certid handles in the pki --ocsp command so that keys and/or
+ certificates can be stored on a smartcard or in a TPM 2.0 device.
+
+- Fail SA installation on Linux if replay protection is disabled while ESN is
+ enabled, which the kernel currently doesn't support.
+
+
+strongswan-5.9.13
+-----------------
+
+- Fixes a regression with handling OCSP error responses and adds a new
+ option to specify the length of nonces in OCSP requests. Also adds some
+ other improvements for OCSP handling and fuzzers for OCSP
+ requests/responses.
+
+
+strongswan-5.9.12
+-----------------
+
+- Fixed a vulnerability in charon-tkm related to processing DH public values
+ that can lead to a buffer overflow and potentially remote code execution.
+ This vulnerability has been registered as CVE-2023-41913.
+
+- The new `pki --ocsp` command produces OCSP responses based on certificate
+ status information provided by plugins.
+
+ Two sources are currently available, the openxpki plugin that directly
+ accesses the OpenXPKI database and the `--index` argument, which reads
+ certificate status information from OpenSSL-style index.txt files.
+
+- The cert-enroll script handles the initial enrollment of an X.509 host
+ certificate with a PKI server via the EST or SCEP protocols.
+
+ Run as a systemd timer or via a crontab entry the script daily checks the
+ expiration date of the host certificate. When a given deadline is reached,
+ the host certificate is automatically renewed via EST or SCEP re-enrollment
+ based on the possession of the old private key and the matching certificate.
+
+- The --priv argument for charon-cmd allows using any type of private key.
+
+- Support for nameConstraints of type iPAddress has been added (the openssl
+ plugin previously didn't support nameConstraints at all).
+
+- SANs of type uniformResourceIdentifier can now be encoded in certificates.
+
+- Password-less PKCS#12 and PKCS#8 files are supported.
+
+- A new global option allows preventing peers from authenticating with trusted
+ end-entity certificates (i.e. local certificates).
+
+- ECDSA public keys that encode curve parameters explicitly are now rejected by
+ all plugins that support ECDSA.
+
+- charon-nm now actually uses the XFRM interfaces added with 5.9.10, it can
+ also use the name in connection.interface-name.
+
+- The resolve plugin tries to maintain the order of installed DNS servers.
+
+- The kernel-libipsec plugin always installs routes even if no address is found
+ in the local traffic selectors.
+
+- Increased the default receive buffer size for Netlink sockets to 8 MiB and
+ simplified its configuration.
+
+- Copy the issuer's subjectKeyIdentifier as authorityKeyIdentifier instead of
+ always generating a hash of the subjectPublicKey.
+
+- Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD
+ timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with
+ unrelated traffic selectors.
+
+- Fixed a possible infinite loop issue in watcher_t and removed WATCHER_EXCEPT,
+ instead callbacks are always invoked even if only errors are signaled.
+
+- Fixed a regression in the IKE_SA_INIT tracking code added with 5.9.6 when
+ handling invalid messages.
+
+- Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs.
+
+- Correctly encode SPI from REKEY_SA notify in CHILD_SA_NOT_FOUND notify if
+ CHILD_SA is not found during rekeying.
+
+- The testing environment is now based on Debian 12 (bookworm), by default.
+
+
+strongswan-5.9.11
+-----------------
+
+- A deadlock in the vici plugin has been fixed that could get triggered when
+ multiple connections were initiated/terminated concurrently and control-log
+ events were raised by the watcher_t component.
+
+- CRLs have to be signed by a certificate that has the cRLSign keyUsage bit
+ encoded (even if it's a CA), or a CA certificate without keyUsage extension.
+
+- Optional CA labels in EST server URIs are supported by `pki --est/estca`.
+
+- CMS-style signatures in PKCS#7 containers are supported by the pkcs7 and
+ openssl plugins, which allows verifying RSA-PSS and ECDSA signatures.
+
+- Fixed a regression in the server implementation of EAP-TLS with TLS 1.2 or
+ earlier that was introduced with 5.9.10.
+
+- Ensure the TLS handshake is complete in the EAP-TLS client with TLS <= 1.2.
+
+- kernel-libipsec can process raw ESP packets on Linux (disabled by default) and
+ gained support for trap policies.
+
+- The dhcp plugin uses an alternate method to determine the source address
+ for unicast DHCP requests that's not affected by interface filtering.
+
+- Certificate and trust chain selection as initiator has been improved in case
+ the local trust chain is incomplete and an unrelated certreq is received.
+
+- ECDSA and EdDSA keys in IPSECKEY RRs are supported by the ipseckey plugin.
+
+- To bypass tunnel mode SAs/policies, the kernel-wfp plugin installs bypass
+ policies also on the FWPM_SUBLAYER_IPSEC_TUNNEL sublayer.
+
+- Stale OCSP responses are now replace in-place in the certificate cache.
+
+- Fixed parsing of SCEP server capabilities by `pki --scep/scepca`.
+
+
+strongswan-5.9.10
+-----------------
+
+- Fixed a vulnerability related to certificate verification in TLS-based EAP
+ methods that leads to an authentication bypass followed by an expired pointer
+ dereference that results in a denial of service and possibly even remote code
+ execution.
+ This vulnerability has been registered as CVE-2023-26463.
+
+- Added support for full packet hardware offload for IPsec SAs and policies with
+ Linux 6.2 kernels to the kernel-netlink plugin.
+
+- TLS-based EAP methods now use the standardized key derivation when used
+ with TLS 1.3.
+
+- The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by
+ implementing the "protected success indication".
+
+- With the `prefer` value for the `childless` setting, initiators will create
+ a childless IKE_SA if the responder supports the extension.
+
+- Routes via XFRM interfaces can optionally be installed automatically by
+ enabling the `install_routes_xfrmi` option of the kernel-netlink plugin.
+
+- charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid
+ issues with name resolution if they are supported by the kernel.
+
+- The `pki --req` command can encode extendedKeyUsage (EKU) flags in the
+ PKCS#10 certificate signing request.
+
+- The `pki --issue` command adopts EKU flags from CSRs but allows modifying them
+ (replace them completely, or adding/removing specific flags).
+
+- On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the
+ IPsec SAs instead of the policies.
+
+- For libcurl with MultiSSL support, the curl plugin provides an option to
+ select the SSL/TLS backend.
+
+
+strongswan-5.9.9
+----------------
+
+- The charon.reqid_base setting allows specifying the first reqid that's
+ automatically assigned to a CHILD_SA.
+
+- The path/command for resolvconf(8) used by the resolve plugin is now
+ configurable.
+
+- The resolve plugin doesn't generate unique interface names for name servers
+ anymore. Instead, all available name servers are associated with a single,
+ configurable interface name.
+
+- Serial numbers of certificates and CRLs are now always returned in canonical
+ form (i.e. without leading zeros).
+
+- The kernel-netlink plugin now logs extended ACK error/warning messages.
+
+
+strongswan-5.9.8
+----------------
+
+- Fixed a vulnerability related to accessing untrusted OCSP URIs and CDPs in
+ certificates that could lead to a denial-of-service attack.
+ This vulnerability has been registered as CVE-2022-40617.
+
+- The pki --scep|--scepca commands support the HTTP-based "Simple Certificate
+ Enrollment Protocol" (RFC 8894 SCEP) replacing the old and long deprecated
+ scepclient that has been removed.
+
+- The pki --est|estca commands support the HTTPS-based "Enrollment over Secure
+ Transport" (RFC 7030 EST) protocol.
+
+- The pki --req command can create a certificate request based on an existing
+ PKCS#10 template by replacing the public key and re-generating the signature
+ with the new private key.
+
+- For IKEv2, the ike_updown() "up" event and the state change to IKE_ESTABLISHED
+ are now triggered after all IKE-related tasks are done.
+
+- The ike_cfg_t object is now always replaced together with the peer_cfg_t
+ object that's set on an IKE_SA during authentication.
+
+- The gcm plugin has been enabled by default, so that the TLS 1.3 unit tests
+ can be completed successfully with just the default plugins.
+
+- The socket plugins don't set the SO_REUSEADDR option anymore on the IKE UDP
+ sockets, so an error is triggered if e.g. two daemons (e.g. charon and
+ charon-systemd) are running concurrently using the same ports.
+
+- The charon.rsa_pss_trailerfield setting generates an algorithmIdentifier with
+ explicit trailerField.
+
+
+strongswan-5.9.7
+----------------
+
+- The IKEv2 key derivation is now delayed until the keys are actually needed for
+ the next message. Instead of deriving the keys while processing an IKE_SA_INIT
+ request, it's delayed until the corresponding IKE_AUTH request is received.
+ DH implementations now must do costly public key validation and the key
+ derivation in get_shared_secret().
+
+- Inbound IKEv2 messages are not parsed immediately anymore, instead we first
+ check a request's MID and compare its hash to that of the previous request to
+ decide if it's a valid retransmit (for fragmented message we only keep track
+ of the first fragment, so we don't have to wait for all fragments and
+ reconstruct the message, which we did before).
+
+- The retransmission logic in the dhcp plugin has been fixed so that four
+ retransmits are sent per DHCP request over a total of 15 seconds (previously,
+ it could happen that all were sent within the same second without any time
+ to actually wait for a response).
+
+- The connmark plugin now considers configured masks in installed firewall
+ rules, which allows using the upper parts of the mark value for other
+ purposes. Just consider that the daemon might have to be restarted regularly
+ to reset the global unique mark counter as that's unaware of any masks.
+
+- Child config selection has been improved as responder in cases where multiple
+ children use transport mode traffic selectors.
+
+- The outbound SA/policy is now also removed after IKEv1 CHILD_SA rekeyings.
+
+- The openssl plugin supports AES and Camellia in CTR mode.
+
+
+strongswan-5.9.6
+----------------
+
+- The IKEv2 key derivation, in particular prf+, has been modularized to simplify
+ certification (e.g. FIPS-140) via an already certified third-party library.
+ The botan, openssl and wolfssl plugins implement the key derivation for
+ HMAC-based PRFs via their respective HKDF implementation. A generic
+ implementation is provided by the new kdf plugin.
+
+- Labeled IPsec with IKEv2 is supported in an SELinux and a proprietary simple
+ mode. In SELinux mode, traffic that matches a trap policy with generic
+ context (e.g. system_u:object_r:ipsec_spd_t:s0) triggers the negotiation of
+ CHILD_SAs with a specific label. With the simple mode, labels are not set on
+ SAs/policies but can be used as identifier to select specific child configs.
+
+- DoS protection has been improved: COOKIE secrets are now switched based on a
+ time limit (2 min.), a new per-IP threshold (default 3) is used to trigger
+ them, and unprocessed IKE_SA_INITs are already counted as half-open IKE_SAs.
+
+- Initiating duplicate CHILD_SAs within the same IKE_SA is largely prevented.
+
+- Immediately initiating a CHILD_SA with trap policies is now possible via
+ `start_action=trap|start`.
+
+- If the source address is unknown when initiating an IKEv2 SA, a NAT situation
+ is now forced for IPv4 (for IPv6, NAT-T is disabled) to avoid causing
+ asymmetric enabling of UDP-encapsulation.
+
+- Installing unnecessary exclude routes for VPN servers on FreeBSD is avoided.
+
+- The new `map_level` option for syslog loggers allows mapping log levels
+ to syslog levels starting at the specified number.
+
+- The addrblock plugin allows limiting the validation depth of issuer addrblock
+ extensions.
+
+- The default AEAD ESP proposal (sent since 5.9.0) now includes `noesn` to make
+ it standards-compliant.
+
+- Individual CHILD_SAs can be queried via the `list-sas` vici command (or
+ `swanctl --list-sas ), either by unique ID or name.
+
+- Compatibility with OpenSSL 3.0 has been improved.
+
+
+strongswan-5.9.5
+----------------
+
+- Fixed a vulnerability in the EAP client implementation that was caused by
+ incorrectly handling early EAP-Success messages. It may allow to bypass the
+ client and in some scenarios even the server authentication, or could lead to
+ a denial-of-service attack.
+ This vulnerability has been registered as CVE-2021-45079.
+
+- Using the trusted RSA or ECC Endorsement Key of the TPM 2.0, libtpmtss may now
+ establish a secure session via RSA encryption or an ephemeral ECDH key
+ exchange, respectively. The session allows HMAC-based authenticated
+ communication with the TPM 2.0 and the exchanged parameters can be encrypted
+ where necessary to guarantee confidentiality (e.g. when using the TPM as RNG).
+
+- Basic support for OpenSSL 3.0 has been added, in particular, the new
+ load_legacy option (enabled by default) allows loading the "legacy" provider
+ for algorithms like MD4 and DES (both required for EAP-MSCHAPv2), and the
+ existing fips_mode option allows explicitly loading the "fips" provider e.g.
+ if it's not activated in OpenSSL's fipsmodule.cnf.
+
+- The MTU of TUN devices created by the kernel-pfroute plugin on macOS and
+ FreeBSD is now configurable and reduced to 1400 bytes, by default. This also
+ fixes an issue on macOS 12 that prevented the detection of virtual IPs
+ installed on such TUN devices.
+
+- When rekeying CHILD_SAs, the old outbound SA is now uninstalled shortly after
+ the new SA has been installed on the initiator/winner. This is useful for
+ IPsec implementations where the ordering of SAs is unpredictable and we can't
+ set the SPI on the outbound policy to switch to the new SA while both are
+ installed.
+
+- The sw-collector utility may now iterate through APT history logs processed
+ by logrotate.
+
+- The openssl plugin now only announces the ECDH groups actually supported by
+ OpenSSL (determined via EC_get_builtin_curves()).
+
+
+strongswan-5.9.4
+----------------
+
+- Fixed a denial-of-service vulnerability in the gmp plugin that was caused by
+ an integer overflow when processing RSASSA-PSS signatures with very large
+ salt lengths.
+ This vulnerability has been registered as CVE-2021-41990.
+
+- Fixed a denial-of-service vulnerability in the in-memory certificate cache
+ if certificates are replaced and a very large random value caused an integer
+ overflow.
+ This vulnerability has been registered as CVE-2021-41991.
+
+- Fixed a related flaw that caused the daemon to accept an infinite number of
+ versions of a valid certificate by modifying the parameters in the
+ signatureAlgorithm field of the outer X.509 Certificate structure.
+
+- AUTH_LIFETIME notifies are now only sent by a responder if it can't
+ reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP)
+ or the use of virtual IPs.
+
+- Serial number generation in several pki sub-commands has been fixed so they
+ don't start with an unintended zero byte.
+
+- Initialize libtpmtss in all programs and library that use it.
+
+- Migrated testing scripts to Python 3.
+
+
+strongswan-5.9.3
+----------------
+
+- Added AES_ECB, SHA-3 and SHAKE-256 support to wolfssl plugin.
+
+- Added AES_CCM and SHA-3 signature support to openssl plugin.
+
+- The x509 and openssl plugins now consider the authorityKeyIdentifier, if
+ available, before verifying signatures, which avoids unnecessary signature
+ verifications after a CA key rollover if both certificates are loaded.
+
+- The pkcs11 plugin better handles optional attributes like CKA_TRUSTED, which
+ previously depended on a version check.
+
+- charon-nm now supports using SANs as client identities, not only full DNs.
+
+- charon-tkm now handles IKE encryption.
+
+- A MOBIKE update is sent again if a a change in the NAT mappings is detected
+ but the endpoints stay the same.
+
+- Converted most of the test case scenarios to the vici interface
+
+
+strongswan-5.9.2
+----------------
+
+- Together with a Linux 5.8 kernel supporting the IMA measurement of the GRUB
+ bootloader and the Linux kernel, the strongSwan Attestation IMC allows to do
+ remote attestation of the complete boot phase. A recent TPM 2.0 device with a
+ SHA-256 PCR bank is required, so that both BIOS and IMA file measurements are
+ based on SHA-256 hashes.
+
+- Our own TLS library (libtls) that we use for TLS-based EAP methods and PT-TLS
+ gained experimental support for TLS 1.3. Thanks to Méline Sieber (client) and
+ Pascal Knecht (client and server) for their work on this.
+ Because the use of TLS 1.3 with these EAP methods is not yet standardized (two
+ Internet-Drafts are being worked on), the default maximum version is currently
+ set to TLS 1.2, which is now also the default minimum version. However the TNC
+ test scenarios using PT-TLS transport already use TLS 1.3.
+
+- Other improvements for libtls also affect older TLS versions. For instance, we
+ added support for ECDH with Curve25519/448 (DH groups may also be configured
+ now), for EdDSA keys and certificates and for RSA-PSS signatures. Support for
+ old and weak cipher suites has been removed (e.g. with 3DES and MD5) as well
+ as signature schemes with SHA-1.
+
+- The listener_t::ike_update event is now also called for MOBIKE updates. Its
+ signature has changed so we only have to call it once if both addresses/ports
+ have changed (e.g. for an address family switch). The event is now also
+ exposed via vici.
+
+- The farp plugin has been ported to macOS and FreeBSD. Thanks to Dan James for
+ working on this.
+
+- To fix DNS server installation with systemd-resolved, charon-nm now creates a
+ dummy TUN device again (was removed with 5.5.1).
+
+- The botan plugin can use rng_t implementations provided by other plugins when
+ generating keys etc. if the Botan library supports it.
+
+- charon-tkm now supports multiple CAs and is configured via vici/swanctl.
+
+- Simple glob patterns (e.g. include conf.d/*.conf) now also work on Windows.
+ Handling of forward slashes in paths on Windows has also been improved.
+
+- The abbreviations for the 'surname' and 'serial number' RDNs in ASN.1 DNs have
+ been changed to align with RFC 4519: The abbreviation for 'surname' is now
+ "SN" (was "S" before), which was previously used for 'serial number' that can
+ now be specified as "serialNumber" only.
+
+- An issue with Windows clients requesting previous IPv6 but not IPv4 virtual
+ IP addresses has been fixed.
+
+- ike_sa_manager_t: Checking out IKE_SAs by config is now atomic (e.g. when
+ acquires for different children of the same connection arrive concurrently).
+ The checkout_new() method has been renamed to create_new(). A new
+ checkout_new() method allows registering a new IKE_SA with the manager before
+ checking it in, so jobs can be queued without losing them as they can block
+ on checking out the new SA.
+
+
+strongswan-5.9.1
+----------------
+
+- Remote attestation via TNC supports the SHA-256 based TPM 2.0 BIOS/EFI
+ measurements introduced with the Linux 5.4 kernel.
+
+- Nonces in OCSP responses are not enforced anymore and only validated if a
+ nonce is actually contained.
+
+- Fixed an issue when only some fragments of a retransmitted IKEv2 message were
+ received, which prevented processing a following fragmented message.
+
+- All queued vici messages are now sent to subscribed clients during shutdown,
+ which includes ike/child-updown events triggered when all SAs are deleted.
+
+- CHILD_SA IP addresses are updated before installation to allow MOBIKE updates
+ while retransmitting a CREATE_CHILD_SA request.
+
+- When looking for a route to the peer, the kernel-netlink plugin ignores the
+ current source address if it's deprecated.
+
+- The file and syslog loggers support logging the log level of each message
+ after the subsystem (e.g. [IKE2]).
+
+- charon-nm is now properly terminated during system shutdown.
+
+- Improved support for EdDSA keys in vici/swanctl, in particular, encrypted
+ keys are now supported.
+
+- A new global strongswan.conf option allows sending the Cisco FlexVPN vendor ID
+ to prevent Cisco devices from narrowing a 0.0.0.0/0 traffic selector.
+
+- The openssl plugin accepts CRLs issued by non-CA certificates if they contain
+ the cRLSign keyUsage flag (the x509 plugin already does this since 4.5.1).
+
+- Attributes in PKCS#7 containers, as used in SCEP, are now properly
+ DER-encoded, i.e. sorted.
+
+- The load-tester plugin now supports virtual IPv6 addresses and IPv6 source
+ address pools.
+
+
+strongswan-5.9.0
+----------------
+
+- We prefer AEAD algorithms for ESP and therefore put AES-GCM in a default AEAD
+ proposal in front of the previous default proposal.
+
+- The NM backend now clears cached credentials when disconnecting, has DPD and
+ and close action set to restart, and supports custom remote TS via 'remote-ts'
+ option (no GUI support).
+
+- The pkcs11 plugin falls back to software hashing for PKCS#1v1.5 RSA signatures
+ if mechanisms with hashing (e.g. CKM_SHA256_RSA_PKCS) are not supported.
+
+- The owner/group of log files is now set so the daemon can reopen them if the
+ config is reloaded and it doesn't run as root.
+
+- The wolfssl plugin (with wolfSSL 4.4.0+) supports x448 DH and Ed448 keys.
+
+- The vici plugin stores all CA certificates in one location, which avoids
+ issues with unloading authority sections or clearing all credentials.
+
+- When unloading a vici connection with start_action=start, any related IKE_SAs
+ without children are now terminated (including those in CONNECTING state).
+
+- The hashtable implementation has been changed so it maintains insertion order.
+ This was mainly done so the vici plugin can store its connections in a
+ hashtable, which makes managing high numbers of connections faster.
+
+- The default maximum size for vici messages (512 KiB) can now be changed via
+ VICI_MESSAGE_SIZE_MAX compile option.
+
+- The charon.check_current_path option allows forcing a DPD exchange to check if
+ the current path still works whenever interface/address-changes are detected.
+
+- It's possible to use clocks other than CLOCK_MONOTONIC (e.g. CLOCK_BOOTTIME)
+ via TIME_CLOCK_ID compile option if clock_gettime() is available and
+ pthread_condattr_setclock() supports that clock.
+
+- Test cases and functions can now be filtered when running the unit tests.
+
+
+strongswan-5.8.4
+----------------
+
+- In IKEv1 Quick Mode make sure that a proposal exists before determining
+ lifetimes (fixes crash due to null pointer exception).
+
+- OpenSSL currently doesn't support squeezing bytes out of a SHAKE128/256
+ XOF (eXtended Output Function) multiple times. Unfortunately,
+ EVP_DigestFinalXOF() completely resets the context and later calls not
+ simply fail, they cause a null-pointer dereference in libcrypto. This
+ fixes the crash at the cost of repeating initializing the whole state
+ and allocating too much data for subsequent calls.
+
+
+strongswan-5.8.3
+----------------
+
+- Updates for the NM backend (and plugin), among others: EAP-TLS authentication,
+ configurable local and remote IKE identities, custom server port, redirection
+ and reauthentication support.
+
+- Previously used reqids are now reallocated to workaround an issue on FreeBSD
+ where the daemon can't use reqids > 16383.
+
+- On Linux, throw type routes are installed for passthrough policies. They act
+ as fallbacks on routes in other tables and require less information, so they
+ can be installed earlier and are not affected by updates.
+
+- For IKEv1, the lifetimes of the selected transform are returned to the
+ initiator, which is an issue with peers that propose different lifetimes in
+ different transforms. We also return the correct transform and proposal IDs.
+
+- IKE_SAs are not re-established anymore if a deletion has been queued.
+
+- Added support for Ed448 keys and certificates via openssl plugin and pki tool.
+ The openssl plugin also supports SHA-3 and SHAKE128/256.
+
+- The use of algorithm IDs from the private use ranges can now be enabled
+ globally, to use them even if no strongSwan vendor ID was exchanged.
+
+
+strongswan-5.8.2
+----------------
+
+- Identity-based CA constraints are supported via vici/swanctl.conf. They
+ enforce that the remote's certificate chain contains a CA certificate with a
+ specific identity. While similar to the existing CA constraints, they don't
+ require that the CA certificate is locally installed such as intermediate CA
+ certificates received from peers. Compared to wildcard identity matching (e.g.
+ "..., OU=Research, CN=*") this requires less trust in the intermediate CAs (to
+ only issue certificates with legitimate subject DNs) as long as path length
+ basic constraints prevent them from issuing further intermediate CAs.
+
+- Intermediate CA certificates may now be sent in hash-and-URL encoding by
+ configuring a base URL for the parent CA.
+
+- Implemented NIST SP-800-90A Deterministic Random Bit Generator (DRBG)
+ based on AES-CTR and SHA2-HMAC modes. Currently used by gmp and ntru plugins.
+
+- Random nonces sent in an OCSP requests are now expected in the corresponding
+ OCSP responses.
+
+- The kernel-netlink plugin ignores deprecated IPv6 addresses for MOBIKE.
+ Whether temporary or permanent IPv6 addresses are included depends on the
+ charon.prefer_temporary_addrs setting.
+
+- Extended Sequence Numbers (ESN) are configured via PF_KEY if supported by the
+ kernel.
+
+- Unique section names are used for CHILD_SAs in vici child-updown events and
+ more information (e.g. statistics) are included for individually deleted
+ CHILD_SAs (in particular for IKEv1).
+
+- So fallbacks to other plugins work properly, creating HMACs via openssl plugin
+ now fails instantly if the underlying hash algorithm isn't supported (e.g.
+ MD5 in FIPS-mode).
+
+- Exponents of RSA keys read from TPM 2.0 via SAPI are now correctly converted.
+
+- Routing table IDs > 255 are supported for custom routes on Linux.
+
+- The D-Bus config file for charon-nm is now installed in
+ $(datadir)/dbus-1/system.d instead of $(sysconfdir)/dbus-1/system.d.
+
+- INVALID_MAJOR_VERSION notifies are now correctly sent in messages of the same
+ exchange type and using the same message ID as the request.
+
+- IKEv2 SAs are immediately destroyed when sending or receiving INVALID_SYNTAX
+ notifies in authenticated messages.
+
+
+strongswan-5.8.1
+----------------
+
+- RDNs in Distinguished Names can now optionally be matched less strict. The
+ global option charon.rdn_matching takes two alternative values that cause the
+ matching algorithm to either ignore the order of matched RDNs or additionally
+ accept DNs that contain more RDNs than configured (unmatched RDNs are treated
+ like wildcard matches).
+
+- The updown plugin now passes the same interface to the script that is also
+ used for the automatically installed routes, i.e. the interface over which the
+ peer is reached instead of the interface on which the local address is found.
+
+- TPM 2.0 contexts are now protected by a mutex to prevent issues if multiple
+ IKE_SAs use the same private key concurrently.
+
+
+strongswan-5.8.0
+----------------
+
+- The systemd service units have been renamed. The modern unit, which was called
+ strongswan-swanctl, is now called strongswan (the previous name is configured
+ as alias). The legacy unit is now called strongswan-starter.
+
+- Support for XFRM interfaces (available since Linux 4.19) has been added.
+ Configuration is possible via swanctl.conf. Interfaces may be created
+ dynamically via updown/vici scripts, or statically before or after
+ establishing the SAs. Routes must be added manually as needed (the daemon will
+ not install any routes for outbound policies with an interface ID).
+
+- Initiation of childless IKE_SAs is supported (RFC 6023). If enabled and
+ supported by the responder, no CHILD_SA is established during IKE_AUTH. This
+ allows using a separate DH exchange even for the first CHILD_SA, which is
+ otherwise created with keys derived from the IKE_SA's key material.
+
+- The NetworkManager backend and plugin support IPv6.
+
+- The new wolfssl plugin is a wrapper around the wolfSSL crypto library. Thanks
+ to Sean Parkinson of wolfSSL Inc. for the initial patch.
+
+- IKE SPIs may optionally be labeled via the charon.spi_mask|label options. This
+ feature was extracted from charon-tkm, however, now applies the mask/label in
+ network order.
+
+- The openssl plugin supports ChaCha20-Poly1305 when built with OpenSSL 1.1.0.
+
+- The PB-TNC finite state machine according to section 3.2 of RFC 5793 was not
+ correctly implemented when sending either a CRETRY or SRETRY batch. These
+ batches can only be sent in the "Decided" state and a CRETRY batch can
+ immediately carry all messages usually transported by a CDATA batch. It is
+ currently not possible to send a SRETRY batch since full-duplex mode for
+ PT-TLS transport is not supported.
+
+- Instead of marking virtual IPv6 addresses as deprecated, the kernel-netlink
+ plugin uses address labels to avoid their use for non-VPN traffic.
+
+- The agent plugin creates sockets to the ssh/gpg-agent dynamically and does not
+ keep them open, which otherwise can prevent the agent from getting terminated.
+
+- To avoid broadcast loops the forecast plugin now only reinjects packets that
+ are marked or received from the configured interface.
+
+- UTF-8 encoded passwords are supported via EAP-MSCHAPv2, which internally uses
+ an UTF-16LE encoding to calculate the NT hash.
+
+- Adds the build-certs script to generate the keys and certificates used for
+ regression tests dynamically. They are built with the pki version installed
+ in the KVM root image so it's not necessary to have an up-to-date version with
+ all required plugins installed on the host system.
+
+
+strongswan-5.7.2
+----------------
+
+- Private key implementations may optionally provide a list of supported
+ signature schemes, which is used by the tpm plugin because for each key on a
+ TPM 2.0 the hash algorithm and for RSA also the padding scheme is predefined.
+
+- For RSA with PSS padding, the TPM 2.0 specification mandates the maximum salt
+ length (as defined by the length of the key and hash). However, if the TPM is
+ FIPS-168-4 compliant, the salt length equals the hash length. This is assumed
+ for FIPS-140-2 compliant TPMs, but if that's not the case, it might be
+ necessary to manually enable charon.plugins.tpm.fips_186_4 if the TPM doesn't
+ use the maximum salt length.
+
+- swanctl now accesses directories for credentials relative to swanctl.conf, in
+ particular, when it's loaded from a custom location via --file argument. The
+ base directory that's used if --file is not given is configurable at runtime
+ via SWANCTL_DIR environment variable.
+
+- With RADIUS Accounting enabled, the eap-radius plugin adds the session ID to
+ Access-Request messages, simplifying associating database entries for IP
+ leases and accounting with sessions.
+
+- IPs assigned by RADIUS servers are included in Accounting-Stop even if clients
+ don't claim them, allowing releasing them early on connection errors.
+
+- Selectors installed on transport mode SAs by the kernel-netlink plugin are
+ updated on IP address changes (e.g. via MOBIKE).
+
+- Added support for RSA signatures with SHA-256 and SHA-512 to the agent plugin.
+ For older versions of ssh/gpg-agent that only support SHA-1, IKEv2 signature
+ authentication has to be disabled via charon.signature_authentication.
+
+- The sshkey and agent plugins support Ed25519/Ed448 SSH keys and signatures.
+
+- The openssl plugin supports X25519/X448 Diffie-Hellman and Ed25519/Ed448 keys
+ and signatures when built against OpenSSL 1.1.1.
+
+- Ed25519, ChaCha20/Poly1305, SHA-3 and AES-CCM were added to the botan plugin.
+
+- The mysql plugin now properly handles database connections with transactions
+ under heavy load.
+
+- IP addresses in HA pools are now distributed evenly among all segments.
+
+- On newer FreeBSD kernels, the kernel-pfkey plugin reads the reqid directly
+ from SADB_ACQUIRE messages, i.e. not requiring previous policy installation by
+ the plugin, e.g. for compatibility with if_ipsec(4) VTIs.
+
+
+strongswan-5.7.1
+----------------
+
+- Fixes a vulnerability in the gmp plugin triggered by crafted certificates with
+ RSA keys with very small moduli. When verifying signatures with such keys,
+ the code patched with the fix for CVE-2018-16151/2 caused an integer underflow
+ and subsequent heap buffer overflow that results in a crash of the daemon.
+ The vulnerability has been registered as CVE-2018-17540.
+
+
+strongswan-5.7.0
+----------------
+
+- Fixes a potential authorization bypass vulnerability in the gmp plugin that
+ was caused by a too lenient verification of PKCS#1 v1.5 signatures. Several
+ flaws could be exploited by a Bleichenbacher-style attack to forge signatures
+ for low-exponent keys (i.e. with e=3). CVE-2018-16151 has been assigned to
+ the problem of accepting random bytes after the OID of the hash function in
+ such signatures, and CVE-2018-16152 has been assigned to the issue of not
+ verifying that the parameters in the ASN.1 algorithmIdentifier structure is
+ empty. Other flaws that don't lead to a vulnerability directly (e.g. not
+ checking for at least 8 bytes of padding) have no separate CVE assigned.
+
+- Dots are not allowed anymore in section names in swanctl.conf and
+ strongswan.conf. This mainly affects the configuration of file loggers. If the
+ path for such a log file contains dots it now has to be configured in the new
+ `path` setting within the arbitrarily renamed subsection in the `filelog`
+ section.
+
+- Sections in swanctl.conf and strongswan.conf may now reference other sections.
+ All settings and subsections from such a section are inherited. This allows
+ to simplify configs as redundant information has only to be specified once
+ and may then be included in other sections (refer to the example in the man
+ page for strongswan.conf).
+
+- The originally selected IKE config (based on the IPs and IKE version) can now
+ change if no matching algorithm proposal is found. This way the order
+ of the configs doesn't matter that much anymore and it's easily possible to
+ specify separate configs for clients that require weak algorithms (instead
+ of having to also add them in other configs that might be selected).
+
+- Support for Postquantum Preshared Keys for IKEv2 (draft-ietf-ipsecme-qr-ikev2)
+ has been added.
+
+- The new botan plugin is a wrapper around the Botan C++ crypto library. It
+ requires a fairly recent build from Botan's master branch (or the upcoming
+ 2.8.0 release). Thanks to René Korthaus and his team from Rohde & Schwarz
+ Cybersecurity for the initial patch.
+
+- The pki tool accepts a xmppAddr otherName as a subjectAlternativeName using
+ the syntax --san xmppaddr:<jid>.
+
+- Implementation of RFC 8412 "Software Inventory Message and Attributes (SWIMA)
+ for PA-TNC". SWIMA subscription option sets CLOSE_WRITE trigger on apt
+ history.log file resulting in a ClientRetry PB-TNC batch to initialize
+ a new measurement cycle.
+
+- Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793) NEA
+ protocols on Google's OSS-Fuzz infrastructure.
+
+- Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The presence of
+ the in-kernel /dev/tpmrm0 resource manager is automatically detected.
+
+- Marks the in- and/or outbound SA should apply to packets after processing may
+ be configured in swanctl.conf on Linux. For outbound SAs this requires at
+ least a 4.14 kernel. Setting a mask and configuring a mark/mask for inbound
+ SAs will be added with the upcoming 4.19 kernel.
+
+- New options in swanctl.conf allow configuring how/whether DF, ECN and DS
+ fields in the IP headers are copied during IPsec processing. Controlling this
+ is currently only possible on Linux.
+
+- To avoid conflicts, the dhcp plugin now only uses the DHCP server port if
+ explicitly configured.
+
+
+strongswan-5.6.3
+----------------
+
+- Fixed a DoS vulnerability in the IKEv2 key derivation if the openssl plugin is
+ used in FIPS mode and HMAC-MD5 is negotiated as PRF.
+ This vulnerability has been registered as CVE-2018-10811.
+
+- Fixed a vulnerability in the stroke plugin, which did not check the received
+ length before reading a message from the socket. Unless a group is configured,
+ root privileges are required to access that socket, so in the default
+ configuration this shouldn't be an issue.
+ This vulnerability has been registered as CVE-2018-5388.
+
+⁻ CRLs that are not yet valid are now ignored to avoid problems in scenarios
+ where expired certificates are removed from CRLs and the clock on the host
+ doing the revocation check is trailing behind that of the host issuing CRLs.
+
+- The issuer of fetched CRLs is now compared to the issuer of the checked
+ certificate.
+
+- CRL validation results other than revocation (e.g. a skipped check because
+ the CRL couldn't be fetched) are now stored also for intermediate CA
+ certificates and not only for end-entity certificates, so a strict CRL policy
+ can be enforced in such cases.
+
+- In compliance with RFC 4945, section 5.1.3.2, certificates used for IKE must
+ now either not contain a keyUsage extension (like the ones generated by pki)
+ or have at least one of the digitalSignature or nonRepudiation bits set.
+
+- New options for vici/swanctl allow forcing the local termination of an IKE_SA.
+ This might be useful in situations where it's known the other end is not
+ reachable anymore, or that it already removed the IKE_SA, so retransmitting a
+ DELETE and waiting for a response would be pointless. Waiting only a certain
+ amount of time for a response before destroying the IKE_SA is also possible
+ by additionally specifying a timeout.
+
+- When removing routes, the kernel-netlink plugin now checks if it tracks other
+ routes for the same destination and replaces the installed route instead of
+ just removing it. Same during installation, where existing routes previously
+ weren't replaced. This should allow using traps with virtual IPs on Linux.
+
+- The dhcp plugin only sends the client identifier option if identity_lease is
+ enabled. It can also send identities of up to 255 bytes length, instead of
+ the previous 64 bytes. If a server address is configured, DHCP requests are
+ now sent from port 67 instead of 68 to avoid ICMP port unreachables.
+
+- Roam events are now completely ignored for IKEv1 SAs.
+
+- ChaCha20/Poly1305 is now correctly proposed without key length. For
+ compatibility with older releases the chacha20poly1305compat keyword may be
+ included in proposals to also propose the algorithm with a key length.
+
+- Configuration of hardware offload of IPsec SAs is now more flexible and allows
+ a new mode, which automatically uses it if the kernel and device support it.
+
+- SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1.
+
+- The pki --verify tool may load CA certificates and CRLs from directories.
+
+- Fixed an issue with DNS servers passed to NetworkManager in charon-nm.
+
+
strongswan-5.6.2
----------------
+- Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that
+ was caused by insufficient input validation. One of the configurable
+ parameters in algorithm identifier structures for RSASSA-PSS signatures is the
+ mask generation function (MGF). Only MGF1 is currently specified for this
+ purpose. However, this in turn takes itself a parameter that specifies the
+ underlying hash function. strongSwan's parser did not correctly handle the
+ case of this parameter being absent, causing an undefined data read.
+ This vulnerability has been registered as CVE-2018-6459.
+
+- The previously negotiated DH group is reused when rekeying an SA, instead of
+ using the first group in the configured proposals, which avoids an additional
+ exchange if the peer selected a different group via INVALID_KE_PAYLOAD when
+ the SA was created initially.
+ The selected DH group is also moved to the front of all sent proposals that
+ contain it and all proposals that don't are moved to the back in order to
+ convey the preference for this group to the peer.
+
+- Handling of MOBIKE task queuing has been improved. In particular, the response
+ to an address update is not ignored anymore if only an address list update or
+ DPD is queued.
+
+- The fallback drop policies installed to avoid traffic leaks when replacing
+ addresses in installed policies are now replaced by temporary drop policies,
+ which also prevent acquires because we currently delete and reinstall IPsec
+ SAs to update their addresses.
+
- Access X.509 certificates held in non-volatile storage of a TPM 2.0
referenced via the NV index.
- Adding the --keyid parameter to pki --print allows to print private keys
or certificates stored in a smartcard or a TPM 2.0.
+- Fixed proposal selection if a peer incorrectly sends DH groups in the ESP
+ proposals during IKE_AUTH and also if a DH group is configured in the local
+ ESP proposal and charon.prefer_configured_proposals is disabled.
+
+- MSKs received via RADIUS are now padded to 64 bytes to avoid compatibility
+ issues with EAP-MSCHAPv2 and PRFs that have a block size < 64 bytes (e.g.
+ AES-XCBC-PRF-128).
+
- The tpm_extendpcr command line tool extends a digest into a TPM PCR.
+- Ported the NetworkManager backend from the deprecated libnm-glib to libnm.
+
+- The save-keys debugging/development plugin saves IKE and/or ESP keys to files
+ compatible with Wireshark.
+
strongswan-5.6.1
----------------
- In the bliss plugin the c_indices derivation using a SHA-512 based random
oracle has been fixed, generalized and standardized by employing the MGF1 mask
- generation function with SHA-512. As a consequence BLISS signatures unsing the
+ generation function with SHA-512. As a consequence BLISS signatures using the
improved oracle are not compatible with the earlier implementation.
- Support for auto=route with right=%any for transport mode connections has
PT-TLS (RFC 6876), a Posture Transport Protocol over TLS.
- The charon systime-fix plugin can disable certificate lifetime checks on
- embedded systems if the system time is obviously out of sync after bootup.
+ embedded systems if the system time is obviously out of sync after boot-up.
Certificates lifetimes get checked once the system time gets sane, closing
or reauthenticating connections using expired certificates.
charon-tkm does not result in the compromise of cryptographic keys.
The extracted functionality has been implemented from scratch in a minimal TCB
(trusted computing base) in the Ada programming language. Further information
- can be found at http://www.codelabs.ch/tkm/.
+ can be found at https://www.codelabs.ch/tkm/.
strongswan-5.0.2
----------------
- The PA-TNC and PB-TNC protocols can now process huge data payloads
>64 kB by distributing PA-TNC attributes over multiple PA-TNC messages
and these messages over several PB-TNC batches. As long as no
- consolidated recommandation from all IMVs can be obtained, the TNC
+ consolidated recommendation from all IMVs can be obtained, the TNC
server requests more client data by sending an empty SDATA batch.
- The rightgroups2 ipsec.conf option can require group membership during
keying protocols. The feature-set of IKEv1 in charon is almost on par with
pluto, but currently does not support AH or bundled AH+ESP SAs. Beside
RSA/ECDSA, PSK and XAuth, charon also supports the Hybrid authentication
- mode. Information for interoperability and migration is available at
- http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1.
+ mode.
- Charon's bus_t has been refactored so that loggers and other listeners are
now handled separately. The single lock was previously cause for deadlocks
thus causing failures during the loading of the plugins which depend on these
libraries for resolving external symbols.
-- Therefore our approach of computing integrity checksums for plugins had to be
- changed radically by moving the hash generation from the compilation to the
- post-installation phase.
+- Therefore our approach of computing integrity checksums for plugins had to be
+ changed radically by moving the hash generation from the compilation to the
+ post-installation phase.
strongswan-4.6.0
- The openssl plugin now supports X.509 certificate and CRL functions.
- OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled
- by default. Plase update manual load directives in strongswan.conf.
+ by default. Please update manual load directives in strongswan.conf.
- RFC3779 ipAddrBlock constraint checking has been moved to the addrblock
plugin, disabled by default. Enable it and update manual load directives
- The IKEv2 High Availability plugin has been integrated. It provides
load sharing and failover capabilities in a cluster of currently two nodes,
- based on an extend ClusterIP kernel module. More information is available at
- http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability.
+ based on an extend ClusterIP kernel module.
The development of the High Availability functionality was sponsored by
secunet Security Networks AG.
----------------
- IKEv2 charon daemon ported to FreeBSD and Mac OS X. Installation details can
- be found on wiki.strongswan.org.
+ be found in the documentation.
- ipsec statusall shows the number of bytes transmitted and received over
ESP connections configured by the IKEv2 charon daemon.
- The nm plugin also accepts CA certificates for gateway authentication. If
a CA certificate is configured, strongSwan uses the entered gateway address
- as its idenitity, requiring the gateways certificate to contain the same as
+ as its identity, requiring the gateways certificate to contain the same as
subjectAltName. This allows a gateway administrator to deploy the same
certificates to Windows 7 and NetworkManager clients.
fuzzing techniques: 1) Sending a malformed IKE_SA_INIT request leaved an
incomplete state which caused a null pointer dereference if a subsequent
CREATE_CHILD_SA request was sent. 2) Sending an IKE_AUTH request with either
- a missing TSi or TSr payload caused a null pointer derefence because the
+ a missing TSi or TSr payload caused a null pointer dereference because the
checks for TSi and TSr were interchanged. The IKEv2 fuzzer used was
developed by the Orange Labs vulnerability research team. The tool was
initially written by Gabriel Campana and is now maintained by Laurent Butti.
Initiators and responders can use several authentication rounds (e.g. RSA
followed by EAP) to authenticate. The new ipsec.conf leftauth/rightauth and
leftauth2/rightauth2 parameters define own authentication rounds or setup
- constraints for the remote peer. See the ipsec.conf man page for more detials.
+ constraints for the remote peer. See the ipsec.conf man page for more details.
- If glibc printf hooks (register_printf_function) are not available,
strongSwan can use the vstr string library to run on non-glibc systems.
- Several MOBIKE improvements: Detect changes in NAT mappings in DPD exchanges,
handle events if kernel detects NAT mapping changes in UDP-encapsulated
- ESP packets (requires kernel patch), reuse old addesses in MOBIKE updates as
+ ESP packets (requires kernel patch), reuse old addresses in MOBIKE updates as
long as possible and other fixes.
- Fixed a bug in addr_in_subnet() which caused insertion of wrong source
refactored to support modular credential providers, proper
CERTREQ/CERT payload exchanges and extensible authorization rules.
-- The framework of strongSwan Manager has envolved to the web application
+- The framework of strongSwan Manager has evolved to the web application
framework libfast (FastCGI Application Server w/ Templates) and is usable
by other applications.
- In NAT traversal situations and multiple queued Quick Modes,
those pending connections inserted by auto=start after the
- port floating from 500 to 4500 were erronously deleted.
+ port floating from 500 to 4500 were erroneously deleted.
- Added a "forceencaps" connection parameter to enforce UDP encapsulation
to surmount restrictive firewalls. NAT detection payloads are faked to
simulate a NAT situation and trick the other peer into NAT mode (IKEv2 only).
- Preview of strongSwan Manager, a web based configuration and monitoring
- application. It uses a new XML control interface to query the IKEv2 daemon
- (see http://wiki.strongswan.org/wiki/Manager).
+ application. It uses a new XML control interface to query the IKEv2 daemon.
- Experimental SQLite configuration backend which will provide the configuration
interface for strongSwan Manager in future releases.
strongswan-4.1.4
----------------
-- The pluto IKEv1 daemon now exhibits the same behaviour as its
+- The pluto IKEv1 daemon now exhibits the same behavior as its
IKEv2 companion charon by inserting an explicit route via the
_updown script only if a sourceip exists. This is admissible
since routing through the IPsec tunnel is handled automatically
Thanks to the rightallowany flag the connection behaves later on
as
- right=%any
+ right=%any
so that the peer can rekey the connection as an initiator when his
IP address changes. An alternative notation is
is provided and more advanced backends (using e.g. a database) are trivial
to implement.
- - Fixed a compilation failure in libfreeswan occurring with Linux kernel
- headers > 2.6.17.
+- Fixed a compilation failure in libfreeswan occurring with Linux kernel
+ headers > 2.6.17.
strongswan-4.1.2
The debugging levels can either be specified statically in ipsec.conf as
config setup
- charondebug="lib 1, cfg 3, net 2"
+ charondebug="lib 1, cfg 3, net 2"
or changed at runtime via stroke as
- Added support for preshared keys in IKEv2. PSK keys configured in
ipsec.secrets are loaded. The authby parameter specifies the authentication
- method to authentificate ourself, the other peer may use PSK or RSA.
+ method to authenticate ourself, the other peer may use PSK or RSA.
- Changed retransmission policy to respect the keyingtries parameter.
left|rightfirewall keyword causes the automatic insertion
and deletion of ACCEPT rules for tunneled traffic upon
the successful setup and teardown of an IPsec SA, respectively.
- left|rightfirwall can be used with KLIPS under any Linux 2.4
+ left|rightfirewall can be used with KLIPS under any Linux 2.4
kernel or with NETKEY under a Linux kernel version >= 2.6.16
in conjunction with iptables >= 1.3.5. For NETKEY under a Linux
kernel version < 2.6.16 which does not support IPsec policy
if an FQDN, USER_FQDN, or Key ID was defined, as in the following example.
conn rw
- right=%any
- rightid=@foo.bar
- authby=secret
+ right=%any
+ rightid=@foo.bar
+ authby=secret
- the ipsec command now supports most ipsec auto commands (e.g. ipsec listall).
to replace the various shell and awk starter scripts (setup, _plutoload,
_plutostart, _realsetup, _startklips, _confread, and auto). Since
ipsec.conf is now parsed only once, the starting of multiple tunnels is
- accelerated tremedously.
+ accelerated tremendously.
- Added support of %defaultroute to the ipsec starter. If the IP address
changes, a HUP signal to the ipsec starter will automatically
strongswan-2.5.7
----------------
-- CA certicates are now automatically loaded from a smartcard
+- CA certificates are now automatically loaded from a smartcard
or USB crypto token and appear in the ipsec auto --listcacerts
listing.
- fixed the initialization of the ESP key length to a default of
128 bits in the case that the peer does not send a key length
- attribute for AES encryption.
+ attribute for AES encryption.
- applied Herbert Xu's uniqueIDs patch
- Under the native IPsec of the Linux 2.6 kernel, a %trap eroute
installed either by setting auto=route in ipsec.conf or by
- a connection put into hold, generates an XFRM_AQUIRE event
- for each packet that wants to use the not-yet exisiting
- tunnel. Up to now each XFRM_AQUIRE event led to an entry in
+ a connection put into hold, generates an XFRM_ACQUIRE event
+ for each packet that wants to use the not-yet existing
+ tunnel. Up to now each XFRM_ACQUIRE event led to an entry in
the Quick Mode queue, causing multiple IPsec SA to be
established in rapid succession. Starting with strongswan-2.5.1
only a single IPsec SA is established per host-pair connection.
- The new "ca" section allows to define the following parameters:
ca kool
- cacert=koolCA.pem # cacert of kool CA
- ocspuri=http://ocsp.kool.net:8001 # ocsp server
- ldapserver=ldap.kool.net # default ldap server
- crluri=http://www.kool.net/kool.crl # crl distribution point
- crluri2="ldap:///O=Kool, C= .." # crl distribution point #2
- auto=add # add, ignore
+ cacert=koolCA.pem # cacert of kool CA
+ ocspuri=http://ocsp.kool.net:8001 # ocsp server
+ ldapserver=ldap.kool.net # default ldap server
+ crluri=http://www.kool.net/kool.crl # crl distribution point
+ crluri2="ldap:///O=Kool, C= .." # crl distribution point #2
+ auto=add # add, ignore
The ca definitions can be monitored via the command
- ipsec auto --listcainfos
+ ipsec auto --listcainfos
- Fixed cosmetic corruption of /proc filesystem by integrating
D. Hugh Redelmeier's freeswan-2.06 kernel fixes.
projects / thirdparty / strongswan.git / blobdiff