From: Tobias Brunner Date: Fri, 24 Feb 2023 15:03:07 +0000 (+0100) Subject: NEWS: Add news for 5.9.10 X-Git-Tag: 5.9.10~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d605584a7aaa8c18e51afa40710b8b0485e51cc2;p=thirdparty%2Fstrongswan.git NEWS: Add news for 5.9.10 --- diff --git a/NEWS b/NEWS index 20d94b8f14..9945180335 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,37 @@ +strongswan-5.9.10 +----------------- + +- Added support for full packet hardware offload for IPsec SAs and policies with + Linux 6.2 kernels to the kernel-netlink plugin. + +- TLS-based EAP methods now use the standardized key derivation when used + with TLS 1.3. + +- The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by + implementing the "protected success indication". + +- With the `prefer` value for the `childless` setting, initiators will create + a childless IKE_SA if the responder supports the extension. + +- Routes via XFRM interfaces can optionally be installed automatically by + enabling the `install_routes_xfrmi` option of the kernel-netlink plugin. + +- charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid + issues with name resolution if they are supported by the kernel. + +- The `pki --req` command can encode extendedKeyUsage (EKU) flags in the + PKCS#10 certificate signing request. + +- The `pki --issue` command adopts EKU flags from CSRs but allows modifying them + (replace them completely, or adding/removing specific flags). + +- On Linux 6.2 kernels, the last use times of CHILD_SAs are determined via the + IPsec SAs instead of the policies. + +- For libcurl with MultiSSL support, the curl plugin provides an option to + select the SSL/TLS backend. + + strongswan-5.9.9 ---------------- diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt index f1767ef34c..39fdf5b997 100644 --- a/conf/plugins/kernel-netlink.opt +++ b/conf/plugins/kernel-netlink.opt @@ -32,11 +32,11 @@ charon.plugins.kernel-netlink.install_routes_xfrmi = no Whether to install routes for SAs that reference XFRM interfaces. Whether routes via XFRM interfaces are automatically installed for SAs that - reference such an interface via _if_id_. If the traffic selectors include - the IKE traffic to the peer, this requires special care (e.g. installing - bypass policies and/or routes, or setting a mark on the IKE socket and - excluding such packets from the configured routing table via _fwmark_ - option). + reference such an interface via _if_id_out_. If the traffic selectors + include the IKE traffic to the peer, this requires special care (e.g. + installing bypass policies and/or routes, or setting a mark on the IKE + socket and excluding such packets from the configured routing table via + _fwmark_ option). charon.plugins.kernel-netlink.mss = 0 MSS to set on installed routes, 0 to disable.