From 5dca9ea0e2931f0e2a056c7964d311bcc30a01b8 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Thu, 22 Oct 2015 11:43:58 +0200 Subject: Imported Upstream version 5.3.3 --- NEWS | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) (limited to 'NEWS') diff --git a/NEWS b/NEWS index e0cfb7e98..0940dff9c 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,49 @@ +strongswan-5.3.3 +---------------- + +- Added support for the ChaCha20/Poly1305 AEAD cipher specified in RFC 7539 and + RFC 7634 using the chacha20poly1305 ike/esp proposal keyword. The new chapoly + plugin implements the cipher, if possible SSE-accelerated on x86/x64 + architectures. It is usable both in IKEv2 and the strongSwan libipsec ESP + backend. On Linux 4.2 or newer the kernel-netlink plugin can configure the + cipher for ESP SAs. + +- The vici interface now supports the configuration of auxiliary certification + authority information as CRL and OCSP URIs. + +- In the bliss plugin the c_indices derivation using a SHA-512 based random + oracle has been fixed, generalized and standardized by employing the MGF1 mask + generation function with SHA-512. As a consequence BLISS signatures unsing the + improved oracle are not compatible with the earlier implementation. + +- Support for auto=route with right=%any for transport mode connections has + been added (the ikev2/trap-any scenario provides examples). + +- The starter daemon does not flush IPsec policies and SAs anymore when it is + stopped. Already existing duplicate policies are now overwritten by the IKE + daemon when it installs its policies. + +- Init limits (like charon.init_limit_half_open) can now optionally be enforced + when initiating SAs via VICI. For this, IKE_SAs initiated by the daemon are + now also counted as half-open SAs, which, as a side-effect, fixes the status + output while connecting (e.g. in ipsec status). + +- Symmetric configuration of EAP methods in left|rightauth is now possible when + mutual EAP-only authentication is used (previously, the client had to + configure rightauth=eap or rightauth=any, which prevented it from using this + same config as responder). + +- The initiator flag in the IKEv2 header is compared again (wasn't the case + since 5.0.0) and packets that have the flag set incorrectly are again ignored. + +- Implemented a demo Hardcopy Device IMC/IMV pair based on the "Hardcopy + Device Health Assessment Trusted Network Connect Binding" (HCD-TNC) + document drafted by the IEEE Printer Working Group (PWG). + +- Fixed IF-M segmentation which failed in the presence of multiple small + attributes in front of a huge attribute to be segmented. + + strongswan-5.3.2 ---------------- -- cgit v1.2.3