X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=NEWS;h=81a7fc5fc9756508d6bfbfbfb60010d39c580ae3;hb=b2d96bfe254316f0f78b3e676546f64b55d94ece;hp=eb9cba569b355b15e1081ad9cc0e6b5d2e8d4f8a;hpb=27bd0fed93ef2e2e59895efecf5c039f373ea278;p=people%2Fms%2Fstrongswan.git diff --git a/NEWS b/NEWS index eb9cba569..81a7fc5fc 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,6 @@ +strongswan-5.3.0 +---------------- + - Added support for IKEv2 make-before-break reauthentication. By using a global CHILD_SA reqid allocation mechanism, charon supports overlapping CHILD_SAs. This allows the use of make-before-break instead of the previously supported @@ -6,6 +9,19 @@ as any previous strongSwan release) it must be explicitly enabled using the charon.make_before_break strongswan.conf option. +- Support for "Signature Authentication in IKEv2" (RFC 7427) has been added. + This allows the use of stronger hash algorithms for public key authentication. + By default, signature schemes are chosen based on the strength of the + signature key, but specific hash algorithms may be configured in leftauth. + +- Key types and hash algorithms specified in rightauth are now also checked + against IKEv2 signature schemes. If such constraints are used for certificate + chain validation in existing configurations, in particular with peers that + don't support RFC 7427, it may be necessary to disable this feature with the + charon.signature_authentication_constraints setting, because the signature + scheme used in classic IKEv2 public key authentication may not be strong + enough. + - The new connmark plugin allows a host to bind conntrack flows to a specific CHILD_SA by applying and restoring the SA mark to conntrack entries. This allows a peer to handle multiple transport mode connections coming over the @@ -19,10 +35,27 @@ Windows 7 IKEv2 clients, which announces its services over the tunnel if the negotiated IPsec policy allows it. +- For the vici plugin a Python Egg has been added to allow Python applications + to control or monitor the IKE daemon using the VICI interface, similar to the + existing ruby gem. The Python library has been contributed by Björn Schuberg. + +- EAP server methods now can fulfill public key constraints, such as rightcert + or rightca. Additionally, public key and signature constraints can be + specified for EAP methods in the rightauth keyword. Currently the EAP-TLS and + EAP-TTLS methods provide verification details to constraints checking. + - Upgrade of the BLISS post-quantum signature algorithm to the improved BLISS-B variant. Can be used in conjunction with the SHA256, SHA384 and SHA512 hash algorithms with SHA512 being the default. +- The IF-IMV 1.4 interface now makes the IP address of the TNC access requestor + as seen by the TNC server available to all IMVs. This information can be + forwarded to policy enforcement points (e.g. firewalls or routers). + +- The new mutual tnccs-20 plugin parameter activates mutual TNC measurements + in PB-TNC half-duplex mode between two endpoints over either a PT-EAP or + PT-TLS transport medium. + strongswan-5.2.2 ----------------