- The issuer of fetched CRLs is now compared to the issuer of the checked
certificate.
-- CRL results other than revocation (e.g. a skipped check because the CRL
- couldn't be fetched) are now stored also for intermediate CA certificates and
- not only for end-entity certificates, so a strict CRL policy can be enforced
- in such cases.
+- CRL validation results other than revocation (e.g. a skipped check because
+ the CRL couldn't be fetched) are now stored also for intermediate CA
+ certificates and not only for end-entity certificates, so a strict CRL policy
+ can be enforced in such cases.
- In compliance with RFC 4945, section 5.1.3.2, certificates used for IKE must
now either not contain a keyUsage extension (like the ones generated by pki)
- or have at least one of the digitalSignature or nonReputiation bits set.
+ or have at least one of the digitalSignature or nonRepudiation bits set.
- New options for vici/swanctl allow forcing the local termination of an IKE_SA.
This might be useful in situations where it's known the other end is not
- reachable anymore or that it already removed the IKE_SA, so there is no point
- in retransmitting a DELETE and waiting for a response (it's also possible to
- wait for a certain amount of time, e.g. shorter than all retransmits, until
- destroying the SA).
+ reachable anymore, or that it already removed the IKE_SA, so retransmitting a
+ DELETE and waiting for a response would be pointless. Waiting only a certain
+ amount of time for a response before destroying the IKE_SA is also possible
+ by additionally specifying a timeout.
- When removing routes, the kernel-netlink plugin now checks if it tracks other
routes for the same destination and replaces the installed route instead of
weren't replaced. This should allow using traps with virtual IPs on Linux.
- The dhcp plugin only sends the client identifier option if identity_lease is
- enabled. It also can send longer identities (up to 255 bytes instead of the
- previous 64 bytes). If a server address is configured, DHCP requests are now
- sent from port 67 instead of 68.
+ enabled. It can also send identities of up to 255 bytes length, instead of
+ the previous 64 bytes. If a server address is configured, DHCP requests are
+ now sent from port 67 instead of 68 to avoid ICMP port unreachables.
- Roam events are now completely ignored for IKEv1 SAs.
included in proposals to also propose the algorithm with a key length.
- Configuration of hardware offload of IPsec SAs is now more flexible and allows
- a new mode, which automatically uses it if the kernel and hardware support it.
+ a new mode, which automatically uses it if the kernel and device support it.
- SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1.
projects / thirdparty / strongswan.git / commitdiff
