From: Tobias Brunner Date: Wed, 15 Nov 2023 13:05:09 +0000 (+0100) Subject: NEWS: Add news for 5.9.12 X-Git-Tag: 5.9.12~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0dbb6867d84154eafd7f39bd205b87bd4bc4b0bf;p=thirdparty%2Fstrongswan.git NEWS: Add news for 5.9.12 --- diff --git a/NEWS b/NEWS index 2850cde630..c75bf1f140 100644 --- a/NEWS +++ b/NEWS @@ -1,14 +1,66 @@ strongswan-5.9.12 ----------------- -- The cert-enroll script handles the initial enrollment of an X.509 - host certificate with a PKI server via the EST or SCEP protocols. - - Run as a systemd timer or via a crontab entry the script daily - checks the expiration date of the host certificate. When a given - deadline is reached, the host certificate is automatically renewed - via EST or SCEP re-enrollment based on the possession of the old - private key and the matching certificate. +- The new `pki --ocsp` command produces OCSP responses based on certificate + status information provided by plugins. + + Two sources are currently available, the openxpki plugin that directly + accesses the OpenXPKI database and the `--index` argument, which reads + certificate status information from OpenSSL-style index.txt files. + +- The cert-enroll script handles the initial enrollment of an X.509 host + certificate with a PKI server via the EST or SCEP protocols. + + Run as a systemd timer or via a crontab entry the script daily checks the + expiration date of the host certificate. When a given deadline is reached, + the host certificate is automatically renewed via EST or SCEP re-enrollment + based on the possession of the old private key and the matching certificate. + +- The --priv argument for charon-cmd allows using any type of private key. + +- Support for nameConstraints of type iPAddress has been added (the openssl + plugin previously didn't support nameConstraints at all). + +- SANs of type uniformResourceIdentifier can now be encoded in certificates. + +- Password-less PKCS#12 and PKCS#8 files are supported. + +- A new global option allows preventing peers from authenticating with trusted + end-entity certificates (i.e. local certificates). + +- ECDSA public keys that encode curve parameters explicitly are now rejected by + all plugins that support ECDSA. + +- charon-nm now actually uses the XFRM interfaces added with 5.9.10, it can + also use the name in connection.interface-name. + +- The resolve plugin tries to maintain the order of installed DNS servers. + +- The kernel-libipsec plugin always installs routes even if no address is found + in the local traffic selectors. + +- Increased the default receive buffer size for Netlink sockets to 8 MiB and + simplified its configuration. + +- Copy the issuer's subjectKeyIdentifier as authorityKeyIdentifier instead of + always generating a hash of the subjectPublicKey. + +- Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD + timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with + unrelated traffic selectors. + +- Fixed a possible infinite loop issue in watcher_t and removed WATCHER_EXCEPT, + instead callbacks are always invoked even if only errors are signaled. + +- Fixed a regression in the IKE_SA_INIT tracking code added with 5.9.6 when + handling invalid messages. + +- Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs. + +- Correctly encode SPI from REKEY_SA notify in CHILD_SA_NOT_FOUND notify if + CHILD_SA is not found during rekeying. + +- The testing environment is now based on Debian 12 (bookworm), by default. strongswan-5.9.11