Minor Release


18 issues   (18 closed — 0 open)

Version 5.1.2

  • A new default configuration file layout is introduced (with full backward compatibility).
    The new default strongswan.conf file mainly includes config snippets from the
    strongswan.d and strongswan.d/charon directories (the latter containing snippets
    for all plugins). The snippets, with commented defaults, are automatically generated
    and installed, if they don't exist yet. They are also installed in
    $prefix/share/strongswan/templates so existing files can be compared to
    the current defaults.
  • As an alternative to the non-extensible charon.load setting, the plugins
    to load
    in charon (and optionally other applications) can now be determined
    via the charon.plugins.<name>.load setting for each plugin (enabled in the
    new default strongswan.conf file via the charon.load_modular option).
    The load setting optionally takes a numeric priority value that allows
    reordering the plugins (otherwise the default plugin order is preserved).
  • All strongswan.conf settings that were formerly defined in library specific
    "global" sections are now application specific (e.g. settings for plugins in
    libstrongswan.plugins can now be set only for charon in charon.plugins).
    The old options are still supported, which now allows to define defaults for
    all applications in the libstrongswan section.
  • The ntru libstrongswan plugin supports NTRUEncrypt as a post-quantum
    computer IKE key exchange mechanism. The implementation is based on the
    ntru-crypto library from the NTRUOpenSourceProject. The supported security
    strengths are ntru112, ntru128, ntru192, and ntru256. Since the private DH
    group IDs 1030..1033 have been assigned, the strongSwan Vendor ID must be
    sent (charon.send_vendor_id = yes) in order to use NTRU.
  • Defined a TPMRA remote attestation workitem and added support for it to the
    Attestation IMV.
  • Compatibility issues between IPComp (compress=yes) and leftfirewall=yes as
    well as multiple subnets in left|rightsubnet have been fixed.
  • When enabling its session strongswan.conf option, the xauth-pam plugin opens
    and closes a PAM session for each established IKE_SA. Patch courtesy of Andrea Bonomi.
  • The strongSwan unit testing framework has been rewritten without the check
    dependency for improved flexibility and portability. It now properly supports
    multi-threaded and memory leak testing and brings a bunch of new test cases.
  • If charon.plugins.stroke.prevent_loglevel_changes is enabled, the stroke plugin prevents
    log level changes via ipsec stroke.
  • The inactivity counter is reset with every rekeying, which means that the inactivity timeout
    must be smaller than the rekeying interval to have any effect (d048a319df).
  • SQL schemas and example data (IMV) are now distributed and installed in $prefix/share/strongswan.
  • A method to register custom proposal keyword parsers has been added (568e302260).
  • A deadlock was fixed when installing trap policies (bb492d80b5).
Issues by