Version 5.5.0 » History » Version 2
Version 1 (Tobias Brunner, 28.06.2016 12:33) → Version 2/3 (Tobias Brunner, 01.07.2016 17:33)
h1. Version 5.5.0
* The new libtpmtss library offers support for both TPM 1.2 and TPM 2.0 Trusted Platform Modules.
This allows the Attestation IMC/IMV pair to do TPM 2.0 based attestation.
* The behavior during IKEv2 exchange collisions has been improved/fixed in several corner cases
and support for @TEMPORARY_FAILURE@ and @CHILD_SA_NOT_FOUND@ notifies, as defined by RFC 7296,
has been added (#379, #464, #876, #1293). The behavior is tested with a series of new unit tests.
* IPsec policy priorities can will be set manually (e.g. for high-priority drop policies) and outbound
policies may be restricted to a network interface. These options are only configurable via [[swanctl.conf]].
An example is provided in the {{tc(swanctl/manual-prio)}} scenario.
* The scheme for the automatically calculated default priorities has been changed and now also
considers port masks, which were added with version:5.4.0 (for details next major release, see commit:d3af3b799f).
* FWD policies are now installed in both directions in regards to the traffic selectors (commit:9c12635252).
Because such "outbound" FWD policies could conflict with "inbound" FWD policies of other SAs (as, "Roadmap":http://wiki.strongswan.org/projects/strongswan/roadmap for
example, in updates on the {{tc(swanctl/net2net-gw)}} or the {{tc(ikev2/ip-two-pools-db)}} scenarios) they are installed
with a lower priority and don't have a reqid set, which allows kernel plugins to distinguish between the
two and prefer those with a reqid.
* For outbound IPsec SAs no replay window is configured anymore.
* When using unique marks (_mark=%unique_) the allocated mark is now correctly passed to the
[[updown]] script (commit:b210369314).
* Enhanced the functionality of the [[swanctl|swanctl --list-conns]] command by listing IKE_SA and CHILD_SA
[[ExpiryRekey|reauthentication and rekeying settings]] and EAP/XAuth identities and EAP types.
* Fixed an interoperability issue with Windows Server 2012 R2 gateways after modifying the default IKE
proposal with version:5.4.0 (commit:fae18fd201, also explained in the [[AndroidVPNClient#161-2016-05-04|changelog of the Android app]]).
* DNS servers installed by the [[ResolvePlugin|resolve plugin]] are now refcounted, which should fix its use with
make-before-break reauthentication. Any output written to stderr/stdout by _resolvconf_ is now logged.
* Negotiation of ESN(Extended Sequence Numbers) with IKEv1 is supported (commit:40bb4677f7).
* The default [[PluginLoad|plugin load list]] may now be modified by specifying the individual _load_ setting of a plugin.
* Fixed how mappings are stored in the _eap-simaka-pseudonym_ plugin (commit:5005325020).
* Support for BoringSSL and OpenSSL 1.1.0 has been added.
* Notes for developers:
* The methods in the kernel interfaces have been changed to take structs instead of long lists of arguments.
* Similarly the constructors for @peer_cfg_t@ and @child_cfg_t@ now take structs.
* We now use the standard unsigned integer types (e.g. @uint64_t@ instead of @u_int64_t@).
* The [[TestingEnvironment|testing environment]] now uses images based on Debian jessie (stable).
release date.
* The new libtpmtss library offers support for both TPM 1.2 and TPM 2.0 Trusted Platform Modules.
This allows the Attestation IMC/IMV pair to do TPM 2.0 based attestation.
* The behavior during IKEv2 exchange collisions has been improved/fixed in several corner cases
and support for @TEMPORARY_FAILURE@ and @CHILD_SA_NOT_FOUND@ notifies, as defined by RFC 7296,
has been added (#379, #464, #876, #1293). The behavior is tested with a series of new unit tests.
* IPsec policy priorities can will be set manually (e.g. for high-priority drop policies) and outbound
policies may be restricted to a network interface. These options are only configurable via [[swanctl.conf]].
An example is provided in the {{tc(swanctl/manual-prio)}} scenario.
* The scheme for the automatically calculated default priorities has been changed and now also
considers port masks, which were added with version:5.4.0 (for details next major release, see commit:d3af3b799f).
* FWD policies are now installed in both directions in regards to the traffic selectors (commit:9c12635252).
Because such "outbound" FWD policies could conflict with "inbound" FWD policies of other SAs (as, "Roadmap":http://wiki.strongswan.org/projects/strongswan/roadmap for
example, in updates on the {{tc(swanctl/net2net-gw)}} or the {{tc(ikev2/ip-two-pools-db)}} scenarios) they are installed
with a lower priority and don't have a reqid set, which allows kernel plugins to distinguish between the
two and prefer those with a reqid.
* For outbound IPsec SAs no replay window is configured anymore.
* When using unique marks (_mark=%unique_) the allocated mark is now correctly passed to the
[[updown]] script (commit:b210369314).
* Enhanced the functionality of the [[swanctl|swanctl --list-conns]] command by listing IKE_SA and CHILD_SA
[[ExpiryRekey|reauthentication and rekeying settings]] and EAP/XAuth identities and EAP types.
* Fixed an interoperability issue with Windows Server 2012 R2 gateways after modifying the default IKE
proposal with version:5.4.0 (commit:fae18fd201, also explained in the [[AndroidVPNClient#161-2016-05-04|changelog of the Android app]]).
* DNS servers installed by the [[ResolvePlugin|resolve plugin]] are now refcounted, which should fix its use with
make-before-break reauthentication. Any output written to stderr/stdout by _resolvconf_ is now logged.
* Negotiation of ESN(Extended Sequence Numbers) with IKEv1 is supported (commit:40bb4677f7).
* The default [[PluginLoad|plugin load list]] may now be modified by specifying the individual _load_ setting of a plugin.
* Fixed how mappings are stored in the _eap-simaka-pseudonym_ plugin (commit:5005325020).
* Support for BoringSSL and OpenSSL 1.1.0 has been added.
* Notes for developers:
* The methods in the kernel interfaces have been changed to take structs instead of long lists of arguments.
* Similarly the constructors for @peer_cfg_t@ and @child_cfg_t@ now take structs.
* We now use the standard unsigned integer types (e.g. @uint64_t@ instead of @u_int64_t@).
* The [[TestingEnvironment|testing environment]] now uses images based on Debian jessie (stable).
release date.