diff options
author | Tobias Brunner <tobias@strongswan.org> | 2017-11-17 09:30:02 +0100 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2017-11-17 10:00:29 +0100 |
commit | caee751d13db1878e86f7f668b1cb8792098187d (patch) | |
tree | ae3d96278521983c00b6962d42b4b45c87f5cdee | |
parent | f7a73fe0f7f6303c1d38308cb3b2e05ab147cd9b (diff) | |
download | strongswan-caee751d13db1878e86f7f668b1cb8792098187d.tar.bz2 strongswan-caee751d13db1878e86f7f668b1cb8792098187d.tar.xz |
NEWS: Added some news for 5.6.1
-rw-r--r-- | NEWS | 30 |
1 files changed, 29 insertions, 1 deletions
@@ -1,7 +1,21 @@ strongswan-5.6.1 ---------------- -- The sec-updater tool checks for security updates dpkg-based repositories +- In compliance with RFCs 8221 and 8247 several algorithms were removed from the + default ESP/AH and IKEv2 proposals, respectively (3DES, Blowfish and MD5 from + ESP/AH, MD5 and MODP-1024 from IKEv2). These algorithms may still be used in + custom proposals. + +- Added support for RSASSA-PSS signatures. For backwards compatibility they are + not used automatically by default, enable charon.rsa_pss to change that. To + explicitly use or require such signatures with IKEv2 signature authentication + (RFC 7427), regardless of whether that option is enabled, use ike:rsa/pss... + authentication constraints. + +- The pki tool can optionally sign certificates/CRLs with RSASSA-PSS via the + `--rsa-padding pss` option. + +- The sec-updater tool checks for security updates in dpkg-based repositories (e.g. Debian/Ubuntu) and sets the security flags in the IMV policy database accordingly. Additionally for each new package version a SWID tag for the given OS and HW architecture is created and stored in the database. @@ -12,6 +26,20 @@ strongswan-5.6.1 reference hash measurements. This has been fixed by creating generic product versions having an empty package name. +- A new timeout option for the systime-fix plugin stops periodic system time + checks after a while and enforces a certificate verification, closing or + reauthenticating all SAs with invalid certificates. + +- The IKE event counters, previously only available via ipsec listcounters, may + now be queried/reset via vici and the new swanctl --counters command. They are + provided by the new optional counters plugin. + +- Class attributes received in RADIUS Access-Accept messages may optionally be + added to RADIUS accounting messages. + +- Inbound marks may optionally be installed on the SA again (was removed with + 5.5.2) by enabling the mark_in_sa option in swanctl.conf. + strongswan-5.6.0 ---------------- |