diff options
author | Tobias Brunner <tobias@strongswan.org> | 2015-02-27 19:19:13 +0100 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2015-03-04 13:54:12 +0100 |
commit | 3f1ef3a678159e1523f38a3e50ccb55afc4461a4 (patch) | |
tree | df0c6d792ad540ef1a340bcc3ad5fbf4875f0df0 | |
parent | 276cf3b725449b8027cdd5c093eb6cf644273c3c (diff) | |
download | strongswan-3f1ef3a678159e1523f38a3e50ccb55afc4461a4.tar.bz2 strongswan-3f1ef3a678159e1523f38a3e50ccb55afc4461a4.tar.xz |
NEWS: Introduce RFC 7427 signature authentication
-rw-r--r-- | NEWS | 13 |
1 files changed, 13 insertions, 0 deletions
@@ -9,6 +9,19 @@ strongswan-5.3.0 as any previous strongSwan release) it must be explicitly enabled using the charon.make_before_break strongswan.conf option. +- Support for "Signature Authentication in IKEv2" (RFC 7427) has been added. + This allows the use of stronger hash algorithms for public key authentication. + By default, signature schemes are chosen based on the strength of the + signature key, but specific hash algorithms may be configured in leftauth. + +- Key types and hash algorithms specified in rightauth are now also checked + against IKEv2 signature schemes. If such constraints are used for certificate + chain validation in existing configurations, in particular with peers that + don't support RFC 7427, it may be necessary to disable this feature with the + charon.signature_authentication_constraints setting, because the signature + scheme used in classic IKEv2 public key authentication may not be strong + enough. + - The new connmark plugin allows a host to bind conntrack flows to a specific CHILD_SA by applying and restoring the SA mark to conntrack entries. This allows a peer to handle multiple transport mode connections coming over the |