- RDNs in DNs of X.509 certificates can now optionally be matched less strict. The global strongswan.conf option
charon.rdn_matching takes two alternative values that cause the matching algorithm to either ignore the order of
matched RDNs (reordered) or additionally (relaxed) accept DNs that contain more RDNs than configured (unmatched
RDNs are treated like wildcard matches).
- The updown plugin now passes the same interface to the script that is also used for the automatically
installed routes, that is, the interface over which the peer is reached instead of the interface on which the
local address is found (#3095).
- TPM 2.0 contexts are now protected by a mutex to prevent issues if multiple IKE_SAs use the same private
key concurrently (4b25885025).
- Do a rekey check after the third QM message was received (#3060).
- If available,
explicit_bzero()is now used as
memwipe()instead of our own implementation.
.editorconfigfile has been added, mainly so Github shows files with proper indentation (68346b6962).
- The internal certificate of the load-tester plugin has been modified so it can again be used as end-entity
cert with 5.6.3 and later (#3139).
- The maximum data length of received
COOKIEnotifies (64 bytes) is now enforced (#3160).