Version 5.6.2 » History » Version 3
Tobias Brunner, 16.02.2018 10:32
| 1 | 1 | Tobias Brunner | h1. Version 5.6.2 |
|---|---|---|---|
| 2 | 1 | Tobias Brunner | |
| 3 | 2 | Tobias Brunner | * When rekeying IKEv2 IKE_SAs the previously negotiated DH group will be reused, instead of using |
| 4 | 2 | Tobias Brunner | the first configured group, which avoids an additional exchange if the peer previously selected a |
| 5 | 2 | Tobias Brunner | different DH group via @INVALID_KE_PAYLOAD@ notify. The same is also done when rekeying CHILD_SAs |
| 6 | 2 | Tobias Brunner | except for the first rekeying of the CHILD_SA that was created with the IKE_SA, where no DH group |
| 7 | 2 | Tobias Brunner | was negotiated yet. |
| 8 | 2 | Tobias Brunner | Also, the selected DH group is moved to the front in all proposals that contain it and all proposals |
| 9 | 2 | Tobias Brunner | that don't are moved to the back in order to convey the preference for this group to the peer. |
| 10 | 2 | Tobias Brunner | |
| 11 | 2 | Tobias Brunner | * Handling of MOBIKE task queuing has been improved. In particular, the response to an address update |
| 12 | 2 | Tobias Brunner | (with NAT-D payloads) is not ignored anymore if only an address list update or DPD is queued as that |
| 13 | 2 | Tobias Brunner | could prevent updating the UDP encapsulation in the kernel. |
| 14 | 2 | Tobias Brunner | |
| 15 | 2 | Tobias Brunner | * On Linux, roam events may optionally be triggered by changes to the routing rules, which can be |
| 16 | 2 | Tobias Brunner | useful if routing rules (instead of e.g. route metrics) are used to switch from one to another |
| 17 | 2 | Tobias Brunner | interface (i.e. from one to another routing table). Since routing rules are currently not evaluated |
| 18 | 2 | Tobias Brunner | when doing route lookups this is only useful if the kernel-based route lookup is used (commit:4664992f7d). |
| 19 | 2 | Tobias Brunner | |
| 20 | 2 | Tobias Brunner | * The fallback drop policies installed to avoid traffic leaks when replacing addresses in installed policies |
| 21 | 2 | Tobias Brunner | are now replaced by temporary drop policies, which also prevent acquires because we currently delete and |
| 22 | 2 | Tobias Brunner | reinstall IPsec SAs to update their addresses (commit:35ef1b032d). |
| 23 | 2 | Tobias Brunner | |
| 24 | 2 | Tobias Brunner | * Access X.509 certificates held in non-volatile storage of a TPM 2.0 referenced via the NV index. |
| 25 | 2 | Tobias Brunner | |
| 26 | 2 | Tobias Brunner | * Adding the --keyid parameter to [[IpsecPkiPrint|pki --print]] allows to print private keys or certificates stored in a |
| 27 | 2 | Tobias Brunner | smartcard or a TPM 2.0. |
| 28 | 2 | Tobias Brunner | |
| 29 | 2 | Tobias Brunner | * Fixed proposal selection if a DH group is configured in the local ESP proposal and |
| 30 | 2 | Tobias Brunner | _charon.prefer_configured_proposals_ is disabled (commit:d058fd3c32). |
| 31 | 2 | Tobias Brunner | |
| 32 | 2 | Tobias Brunner | * The lookup for PSK secrets for IKEv1 has been improved for certain scenarios (see #2497 for details). |
| 33 | 2 | Tobias Brunner | |
| 34 | 2 | Tobias Brunner | * MSKs received via RADIUS are now padded to 64 bytes to avoid compatibility issues with EAP-MSCHAPv2 |
| 35 | 2 | Tobias Brunner | and PRFs that have a block size < 64 bytes (e.g. AES-XCBC-PRF-128, see commit:73cbce6013). |
| 36 | 2 | Tobias Brunner | |
| 37 | 2 | Tobias Brunner | * The @tpm_extendpcr@ command line tool extends a digest into a TPM PCR. |
| 38 | 2 | Tobias Brunner | |
| 39 | 2 | Tobias Brunner | * Ported the [[NetworkManager]] backend from the deprecated _libnm-glib_ to _libnm_. |
| 40 | 3 | Tobias Brunner | |
| 41 | 3 | Tobias Brunner | * The _save-keys_ debugging/development plugin saves IKE and/or ESP keys to files compatible with Wireshark. |