RDNs in DNs of X.509 certificates can now optionally be matched less strict. The global strongswan.conf option charon.rdn_matching takes two alternative values that cause the matching algorithm to either ignore the order of matched RDNs (reordered) or additionally (relaxed) accept DNs that contain more RDNs than configured (unmatched RDNs are treated like wildcard matches).
The updown plugin now passes the same interface to the script that is also used for the automatically installed routes, that is, the interface over which the peer is reached instead of the interface on which the local address is found (#3095).
TPM 2.0 contexts are now protected by a mutex to prevent issues if multiple IKE_SAs use the same private key concurrently (4b25885025).
Do a rekey check after the third QM message was received (#3060).
If available, explicit_bzero() is now used as memwipe() instead of our own implementation.
An .editorconfig file has been added, mainly so Github shows files with proper indentation (68346b6962).
The internal certificate of the load-tester plugin has been modified so it can again be used as end-entity cert with 5.6.3 and later (#3139).
The maximum data length of received COOKIE notifies (64 bytes) is now enforced (#3160).