NEWS: Add news for 5.9.10

diff --git a/NEWS b/NEWS
index 20d94b8f141baae1d802ccafd04f14b4306917b2..99451803352a882a30c5add5bf09d8b84574e289 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,37 @@
+strongswan-5.9.10
+-----------------
+
+- Added support for full packet hardware offload for IPsec SAs and policies with
+  Linux 6.2 kernels to the kernel-netlink plugin.
+
+- TLS-based EAP methods now use the standardized key derivation when used
+  with TLS 1.3.
+
+- The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by
+  implementing the "protected success indication".
+
+- With the `prefer` value for the `childless` setting, initiators will create
+  a childless IKE_SA if the responder supports the extension.
+
+- Routes via XFRM interfaces can optionally be installed automatically by
+  enabling the `install_routes_xfrmi` option of the kernel-netlink plugin.
+
+- charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid
+  issues with name resolution if they are supported by the kernel.
+
+- The `pki --req` command can encode extendedKeyUsage (EKU) flags in the
+  PKCS#10 certificate signing request.
+
+- The `pki --issue` command adopts EKU flags from CSRs but allows modifying them
+  (replace them completely, or adding/removing specific flags).
+
+- On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the
+  IPsec SAs instead of the policies.
+
+- For libcurl with MultiSSL support, the curl plugin provides an option to
+  select the SSL/TLS backend.
+
+
 strongswan-5.9.9
 ----------------
 

diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index f1767ef34c0d504ed057b840036e6ed7b8a025ed..39fdf5b997a1add315a37678666a2af3ae0825e8 100644 (file)
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -32,11 +32,11 @@ charon.plugins.kernel-netlink.install_routes_xfrmi = no
        Whether to install routes for SAs that reference XFRM interfaces.
 
        Whether routes via XFRM interfaces are automatically installed for SAs that
-       reference such an interface via _if_id_.  If the traffic selectors include
-       the IKE traffic to the peer, this requires special care (e.g. installing
-       bypass policies and/or routes, or setting a mark on the IKE socket and
-       excluding such packets from the configured routing table via _fwmark_
-       option).
+       reference such an interface via _if_id_out_.  If the traffic selectors
+       include the IKE traffic to the peer, this requires special care (e.g.
+       installing bypass policies and/or routes, or setting a mark on the IKE
+       socket and excluding such packets from the configured routing table via
+       _fwmark_ option).
 
 charon.plugins.kernel-netlink.mss = 0
        MSS to set on installed routes, 0 to disable.