Version 5.5.1 » History » Version 2
Version 1 (Tobias Brunner, 13.07.2016 16:39) → Version 2/3 (Tobias Brunner, 18.10.2016 17:26)
h1. Version 5.5.1
* The [[newhope]] plugin implements the post-quantum NewHope key exchange algorithm
proposed in their 2015 paper by Erdem Alkim, Léo Ducas, Thomas Pöppelmann and
Peter Schwabe.
* The libstrongswan crypto factory now offers the registration of Extended
Output Functions (XOFs). Currently supported XOFs are SHAKE128 and SHAKE256
implemented by the _sha3_ plugin, ChaCHa20 implemented by the _chapoly_ plugin
and the more traditional MGF1 Mask Generation Functions based on the SHA-1,
SHA-256 and SHA-512 hash algorithms implemented by the new _mgf1_ plugin.
* By default, the "outbound" FWD policies, introduced with version:5.5.0, are not installed anymore.
They may be enabled via the _policies_fwd_out_ setting in [[swanctl.conf]]/[[vici]] for a specific
CHILD_SA if its traffic would otherwise get blocked by a drop policy.
A bug in regards to updating reqids in the _kernel-netlink_ plugin, that was particularly a problem
with duplicate "outbound" FWD policies, has also been fixed (commit:175d78df60).
* XFRM policy hashing thresholds may be configured via [[strongswan.conf]]. This can significantly
improve the performance on hosts where the number of flows exceeds the flow cache size of the
Linux kernel. Policies covering more than a single address don't get hash-indexed by default,
which result in wasting most of the cycles in @xfrm_policy_lookup_bytype()@ and the called
@xfrm_policy_match()@. Since Linux 3.18 the kernel can hash the first n-bit of a policy subnet to
perform indexed lookups. With correctly chosen thresholds this can completely eliminate the
performance impact of policy lookups.
*Note:* Due to a bug in Linux 3.19 through 4.7, the kernel crashes with a NULL pointer dereference
if a socket policy (used by strongSwan to exempt IKE traffic from IPsec tunnels) is installed while
hash thresholds are changed. See commit:ac9759a532 for details and a workaround.
* The [[NetworkManager|NetworkManager integration]] has been updated to support NM 1.2.
The directory from which CA certificates are loaded if no certificate is configured in the GUI can
now will be configured via [[strongswan.conf]] using the new _charon-nm.ca_dir_ setting.
* IKE fragmentation is now enabled by default with the default fragment size set to 1280 bytes
next minor release, see "Roadmap":http://wiki.strongswan.org/projects/strongswan/roadmap for both IP address families.
* A DELETE is sent when a rekeyed IKEv1 SA is deleted. This fixes issues with peers that continue
to send DPDs updates on the old SA and then delete all SAs if no response is received (see #2090).
Also, when terminating IKEv1 SAs, DELETEs for all CHILD_SAs are now sent before sending one for
the IKE_SA and destroying it.
* The [[IpsecPKI|pki tool]], with help of the _pkcs1_ or _openssl_ plugins, can parse private keys in any of the
supported formats without having to know the exact type. So instead of having to specify _rsa_ or
_ecdsa_ explicitly the keyword _priv_ may be used to indicate a private key of any type.
Similarly, [[swanctl]] can load any type of private key from the [[swanctldirectory|swanctl/private]] directory.
* The [[IpsecPKI|pki tool]] can handle RSASSA-PKCS1v1.5-with-SHA-3 signatures using the
_sha3_ and _gmp_ plugins.
* The VICI flush-certs command flushes certificates from the volatile certificate cache.
Optionally the type of the certificates to be flushed (e.g. type = x509_crl) can be specified.
* Setting _charon.cache_crls = yes_ in [[strongswan.conf]] the [[vici]] plugin saves regular,
base and delta CRLs to disk.
Fetched CRLs are now also cached if the checked certificate has been revoked.
* The serial number for delta CRLs generated by [[IpsecPKIsigncrl|pki --signcrl]] is now based on
the given base CRL again (was broken since version:4.6.3).
* Delta CRLs are now properly cached in-memory (and on disk) together with their base. Before this
the presence of a delta CRL might required that the base be refetched every time.
* When verifying trust chains with [[IpsecPkiVerify|pki --verify]] local CRLs may now be specified with the
new @--crl@ argument.
* IKE and ESP/AH proposals configured as strings in [[ipsec.conf]] and [[swanctl.conf]] are now checked to
avoid invalid proposals. For instance, the presence of DH, PRF and encryption algorithms for IKE proposal
are now enforced and AEAD and regular encryption algorithms are not allowed in the same proposal
anymore. Also fixed is the mapping of the _aes*gmac_ keywords to an integrity algorithm in AH proposals.
* Unmarked packets may now be matched by setting _0/0xffffffff_ as XFRM mark (commit:33d3ffde25).
* The maximum registered log level is now determined correctly if loggers implementing only
@log@ or @vlog@ are mixed (commit:dac15e03c8).
* In addition to the existing @ike_keys@ and @child_keys@ hooks on @listener_t@ two new hooks
allow listeners to receive the derived IKE and CHILD_SA keys (@ike|child_derived_keys@).
* The check for _libatomic_ has been improved (commit:6e19a1f5f2).
* The use of AES-GCM with BoringSSL has been fixed (commit:c72c6e9225).
* libtpmtss: In the TSS2 API the function TeardownSocketTcti() was replaced by
tss2_tcti_finalize().
* The results of leak-detective are now evaluated in our [[TestingEnvironment|testing environment]], which
lead to the fixing of several memory leaks.
* No key and self-signed certificate is generated by starter anymore if ipsec.secrets does not exist.
* The long unmaintained [[Maemo]] plugin and frontend have been removed.
release date.
* The [[newhope]] plugin implements the post-quantum NewHope key exchange algorithm
proposed in their 2015 paper by Erdem Alkim, Léo Ducas, Thomas Pöppelmann and
Peter Schwabe.
* The libstrongswan crypto factory now offers the registration of Extended
Output Functions (XOFs). Currently supported XOFs are SHAKE128 and SHAKE256
implemented by the _sha3_ plugin, ChaCHa20 implemented by the _chapoly_ plugin
and the more traditional MGF1 Mask Generation Functions based on the SHA-1,
SHA-256 and SHA-512 hash algorithms implemented by the new _mgf1_ plugin.
* By default, the "outbound" FWD policies, introduced with version:5.5.0, are not installed anymore.
They may be enabled via the _policies_fwd_out_ setting in [[swanctl.conf]]/[[vici]] for a specific
CHILD_SA if its traffic would otherwise get blocked by a drop policy.
A bug in regards to updating reqids in the _kernel-netlink_ plugin, that was particularly a problem
with duplicate "outbound" FWD policies, has also been fixed (commit:175d78df60).
* XFRM policy hashing thresholds may be configured via [[strongswan.conf]]. This can significantly
improve the performance on hosts where the number of flows exceeds the flow cache size of the
Linux kernel. Policies covering more than a single address don't get hash-indexed by default,
which result in wasting most of the cycles in @xfrm_policy_lookup_bytype()@ and the called
@xfrm_policy_match()@. Since Linux 3.18 the kernel can hash the first n-bit of a policy subnet to
perform indexed lookups. With correctly chosen thresholds this can completely eliminate the
performance impact of policy lookups.
*Note:* Due to a bug in Linux 3.19 through 4.7, the kernel crashes with a NULL pointer dereference
if a socket policy (used by strongSwan to exempt IKE traffic from IPsec tunnels) is installed while
hash thresholds are changed. See commit:ac9759a532 for details and a workaround.
* The [[NetworkManager|NetworkManager integration]] has been updated to support NM 1.2.
The directory from which CA certificates are loaded if no certificate is configured in the GUI can
now will be configured via [[strongswan.conf]] using the new _charon-nm.ca_dir_ setting.
* IKE fragmentation is now enabled by default with the default fragment size set to 1280 bytes
next minor release, see "Roadmap":http://wiki.strongswan.org/projects/strongswan/roadmap for both IP address families.
* A DELETE is sent when a rekeyed IKEv1 SA is deleted. This fixes issues with peers that continue
to send DPDs updates on the old SA and then delete all SAs if no response is received (see #2090).
Also, when terminating IKEv1 SAs, DELETEs for all CHILD_SAs are now sent before sending one for
the IKE_SA and destroying it.
* The [[IpsecPKI|pki tool]], with help of the _pkcs1_ or _openssl_ plugins, can parse private keys in any of the
supported formats without having to know the exact type. So instead of having to specify _rsa_ or
_ecdsa_ explicitly the keyword _priv_ may be used to indicate a private key of any type.
Similarly, [[swanctl]] can load any type of private key from the [[swanctldirectory|swanctl/private]] directory.
* The [[IpsecPKI|pki tool]] can handle RSASSA-PKCS1v1.5-with-SHA-3 signatures using the
_sha3_ and _gmp_ plugins.
* The VICI flush-certs command flushes certificates from the volatile certificate cache.
Optionally the type of the certificates to be flushed (e.g. type = x509_crl) can be specified.
* Setting _charon.cache_crls = yes_ in [[strongswan.conf]] the [[vici]] plugin saves regular,
base and delta CRLs to disk.
Fetched CRLs are now also cached if the checked certificate has been revoked.
* The serial number for delta CRLs generated by [[IpsecPKIsigncrl|pki --signcrl]] is now based on
the given base CRL again (was broken since version:4.6.3).
* Delta CRLs are now properly cached in-memory (and on disk) together with their base. Before this
the presence of a delta CRL might required that the base be refetched every time.
* When verifying trust chains with [[IpsecPkiVerify|pki --verify]] local CRLs may now be specified with the
new @--crl@ argument.
* IKE and ESP/AH proposals configured as strings in [[ipsec.conf]] and [[swanctl.conf]] are now checked to
avoid invalid proposals. For instance, the presence of DH, PRF and encryption algorithms for IKE proposal
are now enforced and AEAD and regular encryption algorithms are not allowed in the same proposal
anymore. Also fixed is the mapping of the _aes*gmac_ keywords to an integrity algorithm in AH proposals.
* Unmarked packets may now be matched by setting _0/0xffffffff_ as XFRM mark (commit:33d3ffde25).
* The maximum registered log level is now determined correctly if loggers implementing only
@log@ or @vlog@ are mixed (commit:dac15e03c8).
* In addition to the existing @ike_keys@ and @child_keys@ hooks on @listener_t@ two new hooks
allow listeners to receive the derived IKE and CHILD_SA keys (@ike|child_derived_keys@).
* The check for _libatomic_ has been improved (commit:6e19a1f5f2).
* The use of AES-GCM with BoringSSL has been fixed (commit:c72c6e9225).
* libtpmtss: In the TSS2 API the function TeardownSocketTcti() was replaced by
tss2_tcti_finalize().
* The results of leak-detective are now evaluated in our [[TestingEnvironment|testing environment]], which
lead to the fixing of several memory leaks.
* No key and self-signed certificate is generated by starter anymore if ipsec.secrets does not exist.
* The long unmaintained [[Maemo]] plugin and frontend have been removed.
release date.