From: Tobias Brunner Date: Thu, 29 Sep 2022 07:44:32 +0000 (+0200) Subject: NEWS: Add news for 5.9.8 X-Git-Tag: 5.9.8~8 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=ce82edfbe25e0c40330a76b4132c783cc2d4fbca;p=thirdparty%2Fstrongswan.git NEWS: Add news for 5.9.8 Also fixed the RFC number for EST. --- diff --git a/NEWS b/NEWS index eaf446fc54..699f8531dc 100644 --- a/NEWS +++ b/NEWS @@ -2,16 +2,29 @@ strongswan-5.9.8 ---------------- - The pki --scep|--scepca commands support the HTTP-based "Simple Certificate - Enrollment Protocol" (RFC 8894 SCEP) replacing the obsoleted scepclient that - has been removed. + Enrollment Protocol" (RFC 8894 SCEP) replacing the old and long deprecated + scepclient that has been removed. - The pki --est|estca commands support the HTTPS-based "Enrollment over Secure - Transport" (RFC 7070 EST) protocol. + Transport" (RFC 7030 EST) protocol. - The pki --req command can create a certificate request based on an existing PKCS#10 template by replacing the public key and re-generating the signature with the new private key. +- For IKEv2, the ike_updown() "up" event and the state change to IKE_ESTABLISHED + are now triggered after all IKE-related tasks are done. + +- The ike_cfg_t object is now always replaced together with the peer_cfg_t + object that's set on an IKE_SA during authentication. + +- The gcm plugin has been enabled by default, so that the TLS 1.3 unit tests + can be completed successfully with just the default plugins. + +- The socket plugins don't set the SO_REUSEADDR option anymore on the IKE UDP + sockets, so an error is triggered if e.g. two daemons (e.g. charon and + charon-systemd) are running concurrently using the same ports. + - The charon.rsa_pss_trailerfield setting generates an algorithmIdentifier with explicit trailerField.