summaryrefslogtreecommitdiff
path: root/NEWS
diff options
context:
space:
mode:
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS56
1 files changed, 56 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index ab92d22e5..9c64e6001 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,58 @@
+strongswan-4.1.3
+----------------
+
+- IKEv2 peer configuration selection now can be based on a given
+ certification authority using the rightca= statement.
+
+- IKEv2 authentication based on RSA signatures now can handle multiple
+ certificates issued for a given peer ID. This allows a smooth transition
+ in the case of a peer certificate renewal.
+
+- IKEv2: Support for requesting a specific virtual IP using leftsourceip on the
+ client and returning requested virtual IPs using rightsourceip=%config
+ on the server. If the server does not support configuration payloads, the
+ client enforces its leftsourceip parameter.
+
+- The ./configure options --with-uid/--with-gid allow pluto and charon
+ to drop their privileges to a minimum and change to an other UID/GID. This
+ improves the systems security, as a possible intruder may only get the
+ CAP_NET_ADMIN capability.
+
+- Further modularization of charon: Pluggable control interface and
+ configuration backend modules provide extensibility. The control interface
+ for stroke is included, and further interfaces using DBUS (NetworkManager)
+ or XML are on the way. A backend for storing configurations in the daemon
+ is provided and more advanced backends (using e.g. a database) are trivial
+ to implement.
+
+ - Fixed a compilation failure in libfreeswan occuring with Linux kernel
+ headers > 2.6.17.
+
+
+strongswan-4.1.2
+----------------
+
+- Support for an additional Diffie-Hellman exchange when creating/rekeying
+ a CHILD_SA in IKEv2 (PFS). PFS is enabled when the proposal contains a
+ DH group (e.g. "esp=aes128-sha1-modp1536"). Further, DH group negotiation
+ is implemented properly for rekeying.
+
+- Support for the AES-XCBC-96 MAC algorithm for IPsec SAs when using IKEv2
+ (requires linux >= 2.6.20). It is enabled using e.g. "esp=aes256-aesxcbc".
+
+- Working IPv4-in-IPv6 and IPv6-in-IPv4 tunnels for linux >= 2.6.21.
+
+- Added support for EAP modules which do not establish an MSK.
+
+- Removed the dependencies from the /usr/include/linux/ headers by
+ including xfrm.h, ipsec.h, and pfkeyv2.h in the distribution.
+
+- crlNumber is now listed by ipsec listcrls
+
+- The xauth_modules.verify_secret() function now passes the
+ connection name.
+
+
strongswan-4.1.1
----------------
@@ -72,6 +127,7 @@ strongswan-4.1.0
strict payload order, correct INVALID_KE_PAYLOAD rejection and other minor
fixes to enhance interoperability with other implementations.
+
strongswan-4.0.7
----------------