diff options
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 56 |
1 files changed, 56 insertions, 0 deletions
@@ -1,3 +1,58 @@ +strongswan-4.1.3 +---------------- + +- IKEv2 peer configuration selection now can be based on a given + certification authority using the rightca= statement. + +- IKEv2 authentication based on RSA signatures now can handle multiple + certificates issued for a given peer ID. This allows a smooth transition + in the case of a peer certificate renewal. + +- IKEv2: Support for requesting a specific virtual IP using leftsourceip on the + client and returning requested virtual IPs using rightsourceip=%config + on the server. If the server does not support configuration payloads, the + client enforces its leftsourceip parameter. + +- The ./configure options --with-uid/--with-gid allow pluto and charon + to drop their privileges to a minimum and change to an other UID/GID. This + improves the systems security, as a possible intruder may only get the + CAP_NET_ADMIN capability. + +- Further modularization of charon: Pluggable control interface and + configuration backend modules provide extensibility. The control interface + for stroke is included, and further interfaces using DBUS (NetworkManager) + or XML are on the way. A backend for storing configurations in the daemon + is provided and more advanced backends (using e.g. a database) are trivial + to implement. + + - Fixed a compilation failure in libfreeswan occuring with Linux kernel + headers > 2.6.17. + + +strongswan-4.1.2 +---------------- + +- Support for an additional Diffie-Hellman exchange when creating/rekeying + a CHILD_SA in IKEv2 (PFS). PFS is enabled when the proposal contains a + DH group (e.g. "esp=aes128-sha1-modp1536"). Further, DH group negotiation + is implemented properly for rekeying. + +- Support for the AES-XCBC-96 MAC algorithm for IPsec SAs when using IKEv2 + (requires linux >= 2.6.20). It is enabled using e.g. "esp=aes256-aesxcbc". + +- Working IPv4-in-IPv6 and IPv6-in-IPv4 tunnels for linux >= 2.6.21. + +- Added support for EAP modules which do not establish an MSK. + +- Removed the dependencies from the /usr/include/linux/ headers by + including xfrm.h, ipsec.h, and pfkeyv2.h in the distribution. + +- crlNumber is now listed by ipsec listcrls + +- The xauth_modules.verify_secret() function now passes the + connection name. + + strongswan-4.1.1 ---------------- @@ -72,6 +127,7 @@ strongswan-4.1.0 strict payload order, correct INVALID_KE_PAYLOAD rejection and other minor fixes to enhance interoperability with other implementations. + strongswan-4.0.7 ---------------- |