Version 5.7.0 » History » Version 2
Version 1 (Tobias Brunner, 24.05.2018 09:47) → Version 2/3 (Tobias Brunner, 12.09.2018 18:42)
h1. Version 5.7.0
* Dots are not allowed anymore in section names in [[swanctl.conf]] and [[strongswan.conf]].
This mainly affects the [[LoggerConfiguration|configuration of file loggers]]. If the path for such a log file contains dots
it now has to be configured in the new _path_ setting within the arbitrarily renamed subsection in the
_filelog_ section.
* Sections in [[swanctl.conf]] and [[strongswan.conf]] may now reference other sections. All settings and
subsections from such a section are inherited. This allows to simplify configs as redundant information
has only to will be specified once and may then be included in other sections (see [[strongswan.conf]] for
an example).
* The originally selected IKE config (based on the IPs and IKE version) can now change if no matching
algorithm proposal is found. This way the order of the configs doesn't matter that much anymore and
it's easily possible to specify separate configs next major release, see "Roadmap":http://wiki.strongswan.org/projects/strongswan/roadmap for clients that require weak algorithms (instead
of having to also add them in other configs that might be selected).
* Support for Postquantum Preshared Keys for IKEv2 ("draft-ietf-ipsecme-qr-ikev2":https://tools.ietf.org/html/draft-ietf-ipsecme-qr-ikev2) has been added.
* The new _botan_ plugin is a wrapper around the "Botan C++ crypto library":https://botan.randombit.net.
It requires a fairly recent build from Botan's master branch (or the upcoming 2.8.0 release).
Thanks to René Korthaus and his team from Rohde & Schwarz Cybersecurity for the initial patch.
* Implementation of "RFC 8412":https://tools.ietf.org/html/rfc8412 "Software Inventory Message and Attributes (SWIMA)
for PA-TNC". SWIMA subscription option sets CLOSE_WRITE trigger updates on @apt@ history.log file
resulting in a ClientRetry PB-TNC batch to initialize a new measurement cycle.
* Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793) NEA
protocols on Google's OSS-Fuzz infrastructure.
* Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The presence of
the in-kernel /dev/tpmrm0 resource manager is automatically detected.
* The pki tool accepts a xmppAddr otherName as a subjectAlternativeName using
the syntax @--san xmppaddr:<jid>@.
* [[swanctl.conf]] supports the configuration of marks the in- and/or outbound SA should apply to packets after
processing on Linux. Configuring such a mark for outbound SAs requires at least a 4.14 kernel. The ability
to set a mask and configuring a mark/mask for inbound SAs will be added with the upcoming 4.19 kernel.
* New options in [[swanctl.conf]] allow configuring how/whether DF, ECN and DS fields in the IP headers are
copied during IPsec processing. Controlling this is currently only possible on Linux.
* To avoid conflicts, the [[dhcpplugin|dhcp plugin]] now only uses the DHCP server port if explicitly configured.
release date.
* Dots are not allowed anymore in section names in [[swanctl.conf]] and [[strongswan.conf]].
This mainly affects the [[LoggerConfiguration|configuration of file loggers]]. If the path for such a log file contains dots
it now has to be configured in the new _path_ setting within the arbitrarily renamed subsection in the
_filelog_ section.
* Sections in [[swanctl.conf]] and [[strongswan.conf]] may now reference other sections. All settings and
subsections from such a section are inherited. This allows to simplify configs as redundant information
has only to will be specified once and may then be included in other sections (see [[strongswan.conf]] for
an example).
* The originally selected IKE config (based on the IPs and IKE version) can now change if no matching
algorithm proposal is found. This way the order of the configs doesn't matter that much anymore and
it's easily possible to specify separate configs next major release, see "Roadmap":http://wiki.strongswan.org/projects/strongswan/roadmap for clients that require weak algorithms (instead
of having to also add them in other configs that might be selected).
* Support for Postquantum Preshared Keys for IKEv2 ("draft-ietf-ipsecme-qr-ikev2":https://tools.ietf.org/html/draft-ietf-ipsecme-qr-ikev2) has been added.
* The new _botan_ plugin is a wrapper around the "Botan C++ crypto library":https://botan.randombit.net.
It requires a fairly recent build from Botan's master branch (or the upcoming 2.8.0 release).
Thanks to René Korthaus and his team from Rohde & Schwarz Cybersecurity for the initial patch.
* Implementation of "RFC 8412":https://tools.ietf.org/html/rfc8412 "Software Inventory Message and Attributes (SWIMA)
for PA-TNC". SWIMA subscription option sets CLOSE_WRITE trigger updates on @apt@ history.log file
resulting in a ClientRetry PB-TNC batch to initialize a new measurement cycle.
* Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793) NEA
protocols on Google's OSS-Fuzz infrastructure.
* Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The presence of
the in-kernel /dev/tpmrm0 resource manager is automatically detected.
* The pki tool accepts a xmppAddr otherName as a subjectAlternativeName using
the syntax @--san xmppaddr:<jid>@.
* [[swanctl.conf]] supports the configuration of marks the in- and/or outbound SA should apply to packets after
processing on Linux. Configuring such a mark for outbound SAs requires at least a 4.14 kernel. The ability
to set a mask and configuring a mark/mask for inbound SAs will be added with the upcoming 4.19 kernel.
* New options in [[swanctl.conf]] allow configuring how/whether DF, ECN and DS fields in the IP headers are
copied during IPsec processing. Controlling this is currently only possible on Linux.
* To avoid conflicts, the [[dhcpplugin|dhcp plugin]] now only uses the DHCP server port if explicitly configured.
release date.