Version 5.6.1 » History » Version 3
Version 2 (Tobias Brunner, 16.11.2017 14:35) → Version 3/4 (Tobias Brunner, 17.11.2017 10:23)
h1. Version 5.6.1
* Several algorithms were have been removed from the default ESP/AH and IKEv2 proposals in compliance conformance with
"RFC 8221":https://tools.ietf.org/html/rfc8221 and "RFC 8247":https://tools.ietf.org/html/rfc8247, respectively. Removed from the default ESP/AH proposal were the
3DES and Blowfish encryption algorithms and the HMAC-MD5 integrity algorithm. From the IKEv2 default
proposal the HMAC-MD5 integrity algorithm and the MODP-1024 Diffie-Hellman group were removed (the
latter is significant for [[Windows7#AES-256-CBC-and-MODP2048|Windows clients]] in their default configuration).
These algorithms may still be used in custom proposals.
* Support for "RSASSA-PSS signatures":https://tools.ietf.org/html/rfc8017 has been added. For compatibility with previous releases they are
currently not used automatically, by default, to change that _charon.rsa_pss_ may be enabled. To explicitly use or
or require such signatures during IKEv2 signature authentication ("RFC 7427":https://tools.ietf.org/html/rfc7427) _ike:rsa/pss..._ authentication
constraints may be used for specific connections (regardless of whether the (the strongswan.conf option above is does not have to be
enabled). Only the hash algorithm can be specified in such constraints, the MGF1 will be based on that hash
and the salt length will equal the hash length (when verifying the salt length is not enforced).
To enforce such signatures during PKI verification use _rsa/pss..._ authentication constraints.
All [[ipsecpki|pki]] commands that create certificates/CRLs can be made to sign with RSASSA-PSS instead of the
classing PKCS#1 scheme with the @--rsa-padding pss@ option. As with signatures during authentication, only
the hash algorithm is configurable (via @--digest@ option), the MGF1 will be based on that and the salt length
will equal the hash length.
These signatures are supported by all RSA backends except _pkcs11_ (i.e. _gmp, gcrypt, openssl_). The _gmp_
plugin requires the _mgf1_ plugin.
Note that RSASSA-PSS algorithm identifiers and parameters in keys (public keys in certificates or private keys
in PKCS#8 files) are currently not used as constraints.
* The [[SecUpdater|sec-updater]] tool checks for security updates in dpkg-based repositories (e.g. Debian/Ubuntu)
and sets the security flags in the [[StrongTnc|IMV policy database]] accordingly. Additionally for each new package
version a SWID tag for the given OS and HW architecture is created and stored in the database.
Using the sec-updater.sh script template the lookup can be automated (e.g. via an hourly cron job).
* When restarting an IKEv2 negotiation after receiving an @INVALID_KE_PAYLOAD@ notify (or due to other reasons
like too many retransmits) a new initiator SPI is allocated. This prevents issues caused by retransmits for @IKE_SA_INIT@
@IKE_SA_INIT@ messages.
Because the initiator SPI was previously reused when restarting the connection delayed responses for previous were
connection attempts were processed and might have caused fatal errors due to a failed DH negotiation or because
of the internal retry counter
in the ike-init task. For instance, if we proposed a DH group the responder rejected we
might have later received
delayed responses that either contained @INVALID_KE_PAYLOAD@ notifies with the DH group
we already switched to, used or, if we
retransmitted an @IKE_SA_INIT@ with the requested group but then had to restart again,
a @KE@ payload with a group
different from the one we proposed.
* The [[SecUpdater|sec-updater]] tool checks for security updates in dpkg-based repositories (e.g. Debian/Ubuntu)
and sets the security flags in the [[StrongTnc|IMV policy database]] accordingly. Additionally for each new package
version a SWID tag for the given OS and HW architecture is created and stored in the database.
Using the sec-updater.sh script template the lookup can be automated (e.g. via an hourly cron job).
* The introduction of file versions in the IMV database scheme broke file reference hash measurements.
This has been fixed by creating generic product versions having an empty package name.
* A new _timeout_ option for the [[SystimeFixPlugin|systime-fix plugin]] stops periodic system time checks after a while and enforces
a certificate verification, check, closing or reauthenticating all SAs with invalid certificates.
* The IKE event counters, previously only available via [[IpsecCommand|ipsec listcounters]] command, may now also be queried and
reset via [[vici]] and the new [[swanctl|swanctl --counters]] command. They are collected and provided by the optional
[[counters]] plugin (enabled by default for backwards compatibility if the _stroke_ plugin is built).
* Class attributes received in RADIUS Access-Accept messages may optionally be added to RADIUS accounting
messages (commit:655924074b).
* Basic support for systemd sockets has been added, which may be used for privilege separation (commit:59db98fb94).
* Inbound marks may optionally be installed in the SA again (was removed with version:5.5.2) by enabling the _mark_in_sa_
option in [[swanctl.conf]].
* The timeout of leases in pools configured via [[IpsecPool|pool utility]] may be configured in other units than hours.
* @INITIAL_CONTACT@ notifies are now only omitted if _never_ is configured as uniqueness policy.
* Outbound FWD policies for shunts are not installed anymore, by default (as is the case for other policies since version:5.5.1).
* Don't consider a DH group mismatch during CHILD_SA rekeying as failure as responder (commit:e7276f78aa).
* Handling of fragmented IPv4 and IPv6 packets in libipsec has been improved (commit:e138003de9).
* Trigger expire events for the correct IPsec SA in libipsec (commit:6e861947a0).
* A crash in CRL verification via _openssl_ plugin using OpenSSL 1.1 has been fixed (commit:78acaba6a1).
* No hard-coded default proposals are passed from starter to the _stroke_ plugin anymore (the IKE proposal used
_curve25519_ since version:5.5.2, _curve25519_, which is an optional plugin).
* A workaround for an issue with virtual IPs on macOS 10.13 (High Sierra) has been added (commit:039b85dd43).
* Handling of IKE_SA rekey collisions in charon-tkm has been fixed.
* Instead of failing or just silently doing nothing unit tests may now warn about certain conditions (e.g. if a test
was not executed due to external dependencies).
* Several algorithms were have been removed from the default ESP/AH and IKEv2 proposals in compliance conformance with
"RFC 8221":https://tools.ietf.org/html/rfc8221 and "RFC 8247":https://tools.ietf.org/html/rfc8247, respectively. Removed from the default ESP/AH proposal were the
3DES and Blowfish encryption algorithms and the HMAC-MD5 integrity algorithm. From the IKEv2 default
proposal the HMAC-MD5 integrity algorithm and the MODP-1024 Diffie-Hellman group were removed (the
latter is significant for [[Windows7#AES-256-CBC-and-MODP2048|Windows clients]] in their default configuration).
These algorithms may still be used in custom proposals.
* Support for "RSASSA-PSS signatures":https://tools.ietf.org/html/rfc8017 has been added. For compatibility with previous releases they are
currently not used automatically, by default, to change that _charon.rsa_pss_ may be enabled. To explicitly use or
or require such signatures during IKEv2 signature authentication ("RFC 7427":https://tools.ietf.org/html/rfc7427) _ike:rsa/pss..._ authentication
constraints may be used for specific connections (regardless of whether the (the strongswan.conf option above is does not have to be
enabled). Only the hash algorithm can be specified in such constraints, the MGF1 will be based on that hash
and the salt length will equal the hash length (when verifying the salt length is not enforced).
To enforce such signatures during PKI verification use _rsa/pss..._ authentication constraints.
All [[ipsecpki|pki]] commands that create certificates/CRLs can be made to sign with RSASSA-PSS instead of the
classing PKCS#1 scheme with the @--rsa-padding pss@ option. As with signatures during authentication, only
the hash algorithm is configurable (via @--digest@ option), the MGF1 will be based on that and the salt length
will equal the hash length.
These signatures are supported by all RSA backends except _pkcs11_ (i.e. _gmp, gcrypt, openssl_). The _gmp_
plugin requires the _mgf1_ plugin.
Note that RSASSA-PSS algorithm identifiers and parameters in keys (public keys in certificates or private keys
in PKCS#8 files) are currently not used as constraints.
* The [[SecUpdater|sec-updater]] tool checks for security updates in dpkg-based repositories (e.g. Debian/Ubuntu)
and sets the security flags in the [[StrongTnc|IMV policy database]] accordingly. Additionally for each new package
version a SWID tag for the given OS and HW architecture is created and stored in the database.
Using the sec-updater.sh script template the lookup can be automated (e.g. via an hourly cron job).
* When restarting an IKEv2 negotiation after receiving an @INVALID_KE_PAYLOAD@ notify (or due to other reasons
like too many retransmits) a new initiator SPI is allocated. This prevents issues caused by retransmits for @IKE_SA_INIT@
@IKE_SA_INIT@ messages.
Because the initiator SPI was previously reused when restarting the connection delayed responses for previous were
connection attempts were processed and might have caused fatal errors due to a failed DH negotiation or because
of the internal retry counter
in the ike-init task. For instance, if we proposed a DH group the responder rejected we
might have later received
delayed responses that either contained @INVALID_KE_PAYLOAD@ notifies with the DH group
we already switched to, used or, if we
retransmitted an @IKE_SA_INIT@ with the requested group but then had to restart again,
a @KE@ payload with a group
different from the one we proposed.
* The [[SecUpdater|sec-updater]] tool checks for security updates in dpkg-based repositories (e.g. Debian/Ubuntu)
and sets the security flags in the [[StrongTnc|IMV policy database]] accordingly. Additionally for each new package
version a SWID tag for the given OS and HW architecture is created and stored in the database.
Using the sec-updater.sh script template the lookup can be automated (e.g. via an hourly cron job).
* The introduction of file versions in the IMV database scheme broke file reference hash measurements.
This has been fixed by creating generic product versions having an empty package name.
* A new _timeout_ option for the [[SystimeFixPlugin|systime-fix plugin]] stops periodic system time checks after a while and enforces
a certificate verification, check, closing or reauthenticating all SAs with invalid certificates.
* The IKE event counters, previously only available via [[IpsecCommand|ipsec listcounters]] command, may now also be queried and
reset via [[vici]] and the new [[swanctl|swanctl --counters]] command. They are collected and provided by the optional
[[counters]] plugin (enabled by default for backwards compatibility if the _stroke_ plugin is built).
* Class attributes received in RADIUS Access-Accept messages may optionally be added to RADIUS accounting
messages (commit:655924074b).
* Basic support for systemd sockets has been added, which may be used for privilege separation (commit:59db98fb94).
* Inbound marks may optionally be installed in the SA again (was removed with version:5.5.2) by enabling the _mark_in_sa_
option in [[swanctl.conf]].
* The timeout of leases in pools configured via [[IpsecPool|pool utility]] may be configured in other units than hours.
* @INITIAL_CONTACT@ notifies are now only omitted if _never_ is configured as uniqueness policy.
* Outbound FWD policies for shunts are not installed anymore, by default (as is the case for other policies since version:5.5.1).
* Don't consider a DH group mismatch during CHILD_SA rekeying as failure as responder (commit:e7276f78aa).
* Handling of fragmented IPv4 and IPv6 packets in libipsec has been improved (commit:e138003de9).
* Trigger expire events for the correct IPsec SA in libipsec (commit:6e861947a0).
* A crash in CRL verification via _openssl_ plugin using OpenSSL 1.1 has been fixed (commit:78acaba6a1).
* No hard-coded default proposals are passed from starter to the _stroke_ plugin anymore (the IKE proposal used
_curve25519_ since version:5.5.2, _curve25519_, which is an optional plugin).
* A workaround for an issue with virtual IPs on macOS 10.13 (High Sierra) has been added (commit:039b85dd43).
* Handling of IKE_SA rekey collisions in charon-tkm has been fixed.
* Instead of failing or just silently doing nothing unit tests may now warn about certain conditions (e.g. if a test
was not executed due to external dependencies).