Version 5.9.2 » History » Version 2
Version 1 (Tobias Brunner, 30.10.2020 17:19) → Version 2/3 (Tobias Brunner, 17.02.2021 15:25)
h1. Version 5.9.2
* Together with a Linux 5.8 kernel supporting the [[IMA|IMA measurement]] of the GRUB bootloader and the
Linux kernel, the strongSwan Attestation IMC allows to do remote attestation of the complete boot
phase. A recent [[TpmPlugin|TPM 2.0]] device with a SHA-256 PCR bank is required, so that both BIOS and IMA file
measurements are based on SHA-256 hashes.
* Our own TLS library (source:src/libtls) that we use for [[EAPTLS|EAP-TLS]], EAP-TTLS, EAP-PEAP and [[Swima|PT-TLS]]
gained experimental support for TLS 1.3. Thanks to Méline Sieber (client) and Pascal Knecht (client
and server) for their work on this.
Because the use of TLS 1.3 with the above EAP methods is not yet standardized (see commit:121ac4b9e3),
the default maximum version is currently set to TLS 1.2, which is now also the default minimum
version (both are configurable via [[strongswan.conf]]).
* Several improvements for _libtls_ also affect older TLS versions. For instance, we added support for
ECDH with Curve25519/448 (DH groups may also This will be configured now), for EdDSA keys and certificates
and for RSA-PSS signatures. Support for old and weak cipher suites has been removed (e.g. with 3DES
and MD5) as well as signature schemes with SHA-1.
* The @listener_t::ike_update@ event is now also called for MOBIKE updates. Its signature has changed
so we only have to call it once if both addresses (and/or ports) have changed (e.g. for an address family
switch).
* The _ike-update_ event is exposed via [[vici]].
* The [[farpplugin|farp]] plugin has been ported to macOS and FreeBSD. Thanks to Dan James for working on this (commit:95a0d800c9).
* To fix DNS server installation with @systemd-resolved@, [[NetworkManager|charon-nm]] now creates a dummy TUN device
again (was removed with version:5.5.1, #3615).
* The _botan_ plugin can use @rng_t@ implementations provided by other plugins when generating keys etc.
if the Botan library supports it (requires the upcoming Botan 3).
* _charon-tkm_ now supports multiple CAs and is configured via vici/swanctl.
* Simple glob patterns (e.g. @include conf.d/*.conf@) now also work on Windows. Handling of forward
slashes in paths on Windows has also been improved.
* The abbreviations next minor release, see "Roadmap":http://wiki.strongswan.org/projects/strongswan/roadmap for the _surname_ and _serial number_ RDNs in ASN.1 distinguished names have been
changed to align with RFC 4519: The abbreviation for _surname_ is now @SN@ (was @S@ before), which was
previously used for _serial number_ that can now be specified as @serialNumber@ only (commit:d8e4a2a777).
* The serial numbers in certificates generated by the [[loadtests|load-tester]] plugin are now encoded as proper
ASN.1 integers (#3667).
* An issue with Windows clients requesting IPv6 but not IPv4 virtual IP addresses from previous sessions
has been fixed (#3541).
* Changes to @ike_sa_manager_t@: Checking out IKE_SAs by config is now atomic (e.g. when acquires for
different children of the same connection are handled concurrently). The @checkout_new()@ method has
been renamed to @create_new()@. A new @checkout_new()@ method allows registering a new IKE_SA with
the manager shortly before checking it in, so jobs can be queued without losing them as they can block
updates on checking out the new SA once it's checked in).
* The @build-strongswan@ script for the [[TestingEnvironment|testing environment]] can now also build the software installed
in the root image (helpful if strongSwan changes depend on changes in dependencies) or recreate the
complete root image (check @--help@ for details). release date.
* Together with a Linux 5.8 kernel supporting the [[IMA|IMA measurement]] of the GRUB bootloader and the
Linux kernel, the strongSwan Attestation IMC allows to do remote attestation of the complete boot
phase. A recent [[TpmPlugin|TPM 2.0]] device with a SHA-256 PCR bank is required, so that both BIOS and IMA file
measurements are based on SHA-256 hashes.
* Our own TLS library (source:src/libtls) that we use for [[EAPTLS|EAP-TLS]], EAP-TTLS, EAP-PEAP and [[Swima|PT-TLS]]
gained experimental support for TLS 1.3. Thanks to Méline Sieber (client) and Pascal Knecht (client
and server) for their work on this.
Because the use of TLS 1.3 with the above EAP methods is not yet standardized (see commit:121ac4b9e3),
the default maximum version is currently set to TLS 1.2, which is now also the default minimum
version (both are configurable via [[strongswan.conf]]).
* Several improvements for _libtls_ also affect older TLS versions. For instance, we added support for
ECDH with Curve25519/448 (DH groups may also This will be configured now), for EdDSA keys and certificates
and for RSA-PSS signatures. Support for old and weak cipher suites has been removed (e.g. with 3DES
and MD5) as well as signature schemes with SHA-1.
* The @listener_t::ike_update@ event is now also called for MOBIKE updates. Its signature has changed
so we only have to call it once if both addresses (and/or ports) have changed (e.g. for an address family
switch).
* The _ike-update_ event is exposed via [[vici]].
* The [[farpplugin|farp]] plugin has been ported to macOS and FreeBSD. Thanks to Dan James for working on this (commit:95a0d800c9).
* To fix DNS server installation with @systemd-resolved@, [[NetworkManager|charon-nm]] now creates a dummy TUN device
again (was removed with version:5.5.1, #3615).
* The _botan_ plugin can use @rng_t@ implementations provided by other plugins when generating keys etc.
if the Botan library supports it (requires the upcoming Botan 3).
* _charon-tkm_ now supports multiple CAs and is configured via vici/swanctl.
* Simple glob patterns (e.g. @include conf.d/*.conf@) now also work on Windows. Handling of forward
slashes in paths on Windows has also been improved.
* The abbreviations next minor release, see "Roadmap":http://wiki.strongswan.org/projects/strongswan/roadmap for the _surname_ and _serial number_ RDNs in ASN.1 distinguished names have been
changed to align with RFC 4519: The abbreviation for _surname_ is now @SN@ (was @S@ before), which was
previously used for _serial number_ that can now be specified as @serialNumber@ only (commit:d8e4a2a777).
* The serial numbers in certificates generated by the [[loadtests|load-tester]] plugin are now encoded as proper
ASN.1 integers (#3667).
* An issue with Windows clients requesting IPv6 but not IPv4 virtual IP addresses from previous sessions
has been fixed (#3541).
* Changes to @ike_sa_manager_t@: Checking out IKE_SAs by config is now atomic (e.g. when acquires for
different children of the same connection are handled concurrently). The @checkout_new()@ method has
been renamed to @create_new()@. A new @checkout_new()@ method allows registering a new IKE_SA with
the manager shortly before checking it in, so jobs can be queued without losing them as they can block
updates on checking out the new SA once it's checked in).
* The @build-strongswan@ script for the [[TestingEnvironment|testing environment]] can now also build the software installed
in the root image (helpful if strongSwan changes depend on changes in dependencies) or recreate the
complete root image (check @--help@ for details). release date.