Version 5.0.3 » History » Version 2
Version 1 (Tobias Brunner, 31.01.2013 10:25) → Version 2/3 (Tobias Brunner, 05.04.2013 11:44)
h1. Version 5.0.3
* The new ipseckey plugin enables authentication based on trustworthy public
keys stored as IPSECKEY resource records in This will be the DNS and protected by DNSSEC.
To do so it uses a DNSSEC enabled resolver, like the one provided by the new
unbound plugin, which is based on libldns and libunbound. Both plugins were
created by Reto Guadagnini.
* Implemented the TCG TNC IF-IMV 1.4 draft making access requestor identities
available to an IMV. The OS IMV stores the AR identity together with the
device ID in the attest database.
* The openssl plugin now uses the AES-NI accelerated version of AES-GCM
if the hardware supports it.
* The [[EAPRadius|eap-radius plugin]] can now assign [[VirtualIP|virtual IPs]] to IKE clients using the
Framed-IP-Address attribute by using the _%radius_ named pool in the
rightsourceip [[ipsec.conf]] option. Cisco Banner attributes are forwarded to
Unity-capable IKEv1 clients during mode config. charon now sends Interim
Accounting next minor release, see "Roadmap":http://wiki.strongswan.org/projects/strongswan/roadmap for updates if requested by the RADIUS server, reports
sent/received packets in Accounting messages, and adds a Terminate-Cause
to Accounting-Stops.
* The recently introduced _[[IPsecCommand|ipsec]] listcounters_ command can report connection
specific counters by passing a connection name, and global or connection
counters can be reset by the _ipsec resetcounters_ command.
* The strongSwan libpttls library provides an experimental implementation of
PT-TLS (RFC 6876), a Posture Transport Protocol over TLS.
* The charon [[SystimeFixPlugin|systime-fix plugin]] can disable certificate lifetime checks on
embedded systems if the system time is obviously out of sync after bootup.
Certificates lifetimes get checked once the system time gets sane, closing
or reauthenticating connections using expired certificates.
* The _ikedscp_ [[ipsec.conf]] option can set DiffServ code points on outgoing
IKE packets.
* The new xauth-noauth plugin allows to use basic RSA or PSK authentication with
clients that cannot be configured without XAuth authentication. The plugin
simply concludes the XAuth exchange successfully without actually performing
any authentication. Therefore, to use this backend it has to be selected
explicitly with @rightauth2=xauth-noauth@.
* The new charon-tkm IKEv2 daemon delegates security critical operations to a
separate process. This has the benefit that the network facing daemon has no
knowledge of keying material used to protect child SAs. Thus subverting
charon-tkm does not result in the compromise of cryptographic keys.
The extracted functionality has been implemented from scratch in a minimal TCB
(trusted computing base) in the Ada programming language. Further information
can be found at http://www.codelabs.ch/tkm/. release date.
* The new ipseckey plugin enables authentication based on trustworthy public
keys stored as IPSECKEY resource records in This will be the DNS and protected by DNSSEC.
To do so it uses a DNSSEC enabled resolver, like the one provided by the new
unbound plugin, which is based on libldns and libunbound. Both plugins were
created by Reto Guadagnini.
* Implemented the TCG TNC IF-IMV 1.4 draft making access requestor identities
available to an IMV. The OS IMV stores the AR identity together with the
device ID in the attest database.
* The openssl plugin now uses the AES-NI accelerated version of AES-GCM
if the hardware supports it.
* The [[EAPRadius|eap-radius plugin]] can now assign [[VirtualIP|virtual IPs]] to IKE clients using the
Framed-IP-Address attribute by using the _%radius_ named pool in the
rightsourceip [[ipsec.conf]] option. Cisco Banner attributes are forwarded to
Unity-capable IKEv1 clients during mode config. charon now sends Interim
Accounting next minor release, see "Roadmap":http://wiki.strongswan.org/projects/strongswan/roadmap for updates if requested by the RADIUS server, reports
sent/received packets in Accounting messages, and adds a Terminate-Cause
to Accounting-Stops.
* The recently introduced _[[IPsecCommand|ipsec]] listcounters_ command can report connection
specific counters by passing a connection name, and global or connection
counters can be reset by the _ipsec resetcounters_ command.
* The strongSwan libpttls library provides an experimental implementation of
PT-TLS (RFC 6876), a Posture Transport Protocol over TLS.
* The charon [[SystimeFixPlugin|systime-fix plugin]] can disable certificate lifetime checks on
embedded systems if the system time is obviously out of sync after bootup.
Certificates lifetimes get checked once the system time gets sane, closing
or reauthenticating connections using expired certificates.
* The _ikedscp_ [[ipsec.conf]] option can set DiffServ code points on outgoing
IKE packets.
* The new xauth-noauth plugin allows to use basic RSA or PSK authentication with
clients that cannot be configured without XAuth authentication. The plugin
simply concludes the XAuth exchange successfully without actually performing
any authentication. Therefore, to use this backend it has to be selected
explicitly with @rightauth2=xauth-noauth@.
* The new charon-tkm IKEv2 daemon delegates security critical operations to a
separate process. This has the benefit that the network facing daemon has no
knowledge of keying material used to protect child SAs. Thus subverting
charon-tkm does not result in the compromise of cryptographic keys.
The extracted functionality has been implemented from scratch in a minimal TCB
(trusted computing base) in the Ada programming language. Further information
can be found at http://www.codelabs.ch/tkm/. release date.