summaryrefslogtreecommitdiff
path: root/NEWS
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2016-07-16 15:19:53 +0200
committerYves-Alexis Perez <corsac@debian.org>2016-07-16 15:19:53 +0200
commita4ab9f7f145c94a5eeb950b92b95c3d362baee67 (patch)
treeb3490a4d2054b18dd1549416216557c8114329aa /NEWS
parent7c6a8194526dc1035140a3157a07b2d9dbfedc59 (diff)
parentbf372706c469764d59e9f29c39e3ecbebd72b8d2 (diff)
downloadvyos-strongswan-a4ab9f7f145c94a5eeb950b92b95c3d362baee67.tar.gz
vyos-strongswan-a4ab9f7f145c94a5eeb950b92b95c3d362baee67.zip
Merge tag 'upstream/5.5.0'
Upstream version 5.5.0
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS38
1 files changed, 38 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 8de6cac4e..db30df1d2 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,41 @@
+strongswan-5.5.0
+----------------
+
+- The new libtpmtss library offers support for both TPM 1.2 and TPM 2.0
+ Trusted Platform Modules. This allows the Attestation IMC/IMV pair to
+ do TPM 2.0 based attestation.
+
+- The behavior during IKEv2 exchange collisions has been improved/fixed in
+ several corner cases and support for TEMPORARY_FAILURE and CHILD_SA_NOT_FOUND
+ notifies, as defined by RFC 7296, has been added.
+
+- IPsec policy priorities can be set manually (e.g. for high-priority drop
+ policies) and outbound policies may be restricted to a network interface.
+
+- The scheme for the automatically calculated default priorities has been
+ changed and now also considers port masks, which were added with 5.4.0.
+
+- FWD policies are now installed in both directions in regards to the traffic
+ selectors. Because such "outbound" FWD policies could conflict with "inbound"
+ FWD policies of other SAs they are installed with a lower priority and don't
+ have a reqid set, which allows kernel plugins to distinguish between the two
+ and prefer those with a reqid.
+
+- For outbound IPsec SAs no replay window is configured anymore.
+
+- Enhanced the functionality of the swanctl --list-conns command by listing
+ IKE_SA and CHILD_SA reauthentication and rekeying settings, and EAP/XAuth
+ identities and EAP types.
+
+- DNS servers installed by the resolve plugin are now refcounted, which should
+ fix its use with make-before-break reauthentication. Any output written to
+ stderr/stdout by resolvconf is now logged.
+
+- The methods in the kernel interfaces have been changed to take structs instead
+ of long lists of arguments. Similarly the constructors for peer_cfg_t and
+ child_cfg_t now take structs.
+
+
strongswan-5.4.0
----------------