aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTobias Brunner <tobias@strongswan.org>2015-02-27 19:19:13 +0100
committerTobias Brunner <tobias@strongswan.org>2015-03-04 13:54:12 +0100
commit3f1ef3a678159e1523f38a3e50ccb55afc4461a4 (patch)
treedf0c6d792ad540ef1a340bcc3ad5fbf4875f0df0
parent276cf3b725449b8027cdd5c093eb6cf644273c3c (diff)
downloadstrongswan-3f1ef3a678159e1523f38a3e50ccb55afc4461a4.tar.bz2
strongswan-3f1ef3a678159e1523f38a3e50ccb55afc4461a4.tar.xz
NEWS: Introduce RFC 7427 signature authentication
-rw-r--r--NEWS13
1 files changed, 13 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 8dc5e314d..69fbdd143 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,19 @@ strongswan-5.3.0
as any previous strongSwan release) it must be explicitly enabled using
the charon.make_before_break strongswan.conf option.
+- Support for "Signature Authentication in IKEv2" (RFC 7427) has been added.
+ This allows the use of stronger hash algorithms for public key authentication.
+ By default, signature schemes are chosen based on the strength of the
+ signature key, but specific hash algorithms may be configured in leftauth.
+
+- Key types and hash algorithms specified in rightauth are now also checked
+ against IKEv2 signature schemes. If such constraints are used for certificate
+ chain validation in existing configurations, in particular with peers that
+ don't support RFC 7427, it may be necessary to disable this feature with the
+ charon.signature_authentication_constraints setting, because the signature
+ scheme used in classic IKEv2 public key authentication may not be strong
+ enough.
+
- The new connmark plugin allows a host to bind conntrack flows to a specific
CHILD_SA by applying and restoring the SA mark to conntrack entries. This
allows a peer to handle multiple transport mode connections coming over the