diff options
| author | Yves-Alexis Perez <corsac@corsac.net> | 2017-11-21 10:22:31 +0100 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@corsac.net> | 2017-11-21 10:22:31 +0100 |
| commit | e1d78dc2faaa06e7c3f71ef674a71e4de2f0758e (patch) | |
| tree | ae0c8b5f4cd8289d0797882ea18969f33ea59a1e /NEWS | |
| parent | 11d6b62db969bdd808d0f56706cb18f113927a31 (diff) | |
| download | vyos-strongswan-e1d78dc2faaa06e7c3f71ef674a71e4de2f0758e.tar.gz vyos-strongswan-e1d78dc2faaa06e7c3f71ef674a71e4de2f0758e.zip | |
New upstream version 5.6.1
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 43 |
1 files changed, 43 insertions, 0 deletions
@@ -1,3 +1,46 @@ +strongswan-5.6.1 +---------------- + +- In compliance with RFCs 8221 and 8247 several algorithms were removed from the + default ESP/AH and IKEv2 proposals, respectively (3DES, Blowfish and MD5 from + ESP/AH, MD5 and MODP-1024 from IKEv2). These algorithms may still be used in + custom proposals. + +- Added support for RSASSA-PSS signatures. For backwards compatibility they are + not used automatically by default, enable charon.rsa_pss to change that. To + explicitly use or require such signatures with IKEv2 signature authentication + (RFC 7427), regardless of whether that option is enabled, use ike:rsa/pss... + authentication constraints. + +- The pki tool can optionally sign certificates/CRLs with RSASSA-PSS via the + `--rsa-padding pss` option. + +- The sec-updater tool checks for security updates in dpkg-based repositories + (e.g. Debian/Ubuntu) and sets the security flags in the IMV policy database + accordingly. Additionally for each new package version a SWID tag for the + given OS and HW architecture is created and stored in the database. + Using the sec-updater.sh script template the lookup can be automated + (e.g. via an hourly cron job). + +- The introduction of file versions in the IMV database scheme broke file + reference hash measurements. This has been fixed by creating generic product + versions having an empty package name. + +- A new timeout option for the systime-fix plugin stops periodic system time + checks after a while and enforces a certificate verification, closing or + reauthenticating all SAs with invalid certificates. + +- The IKE event counters, previously only available via ipsec listcounters, may + now be queried/reset via vici and the new swanctl --counters command. They are + provided by the new optional counters plugin. + +- Class attributes received in RADIUS Access-Accept messages may optionally be + added to RADIUS accounting messages. + +- Inbound marks may optionally be installed on the SA again (was removed with + 5.5.2) by enabling the mark_in_sa option in swanctl.conf. + + strongswan-5.6.0 ---------------- |