Version 5.9.0¶
- We prefer AEAD algorithms for ESP and therefore put AES-GCM in a default AEAD proposal in front
of the previous default proposal.
- Changes related to the NM frontend and backend (charon-nm):
- Password entry for private keys in the frontend has been fixed, in the backend, cached credentials
are now also cleared when the connection is terminated (#3428).
- The AppStream metadata installed by the frontend has been migrated from appdata to
metainfo (73b60338dc).
- The height of the frontend has been reduced by using tabs for options/proposals (#3448).
- DPD and close action are now set to restart in the backend (#3300).
- The backend supports custom remote traffic selectors via
remote-ts
option (separated by ;
).
There is currently no GUI support, so configuration has to be done manually via nmcli
or
config file.
- If a connection fails after getting redirected, we now restart connecting to the original host, not the
one redirected to.
- The pkcs11 plugin falls back to hashing data for PKCS#1 v1.5 RSA signatures in software if the
smartcard/library doesn't support signature mechanisms with hashing (e.g. CKM_SHA256_RSA_PKCS
).
- The owner/group of the log file opened by the file logger (e.g. via charon.filelog) is now set so the
daemon can reopen it if the config is reloaded and it doesn't run as root.
- The wolfssl plugin (when used with wolfSSL 4.4.0+) supports x448 Diffie-Hellman and Ed448 keys.
- For peers that don't send the
EAP_ONLY_AUTHENTICATION
notify but still expect to use EAP-only
authentication, the charon.force_eap_only_authentication option can be enabled to force this type
of authentication even on non-compliant peers.
- DH groups are properly handled during migration of CHILD_SA-creating tasks when reestablishing (may
have caused DH groups in the proposal sent during IKE_AUTH).
- The vici plugin stores all CA certificates in one location, which avoids issues with unloading authority
sections or clearing all credentials (GH#172).
- When unloading a vici connection with start_action=start, any related IKE_SAs without children are now
terminated (including those in CONNECTING state).
- The hashtable implementation has been changed so it maintains insertion order (the old implementation,
including the get_match()
method and a new feature to sort keys, has been migrated to the hashlist_t
class). This was mainly done so the vici plugin can store its connections in a hashtable, which makes
managing high numbers of connections faster.
- The default maximum size for vici messages (512 KiB) can now be changed via
VICI_MESSAGE_SIZE_MAX
compile option.
- IPv6 virtual IPs are now always enumerated, ignoring the charon.prefer_temporary_addrs setting, which
should fix route installation if the latter is enabled.
- The version as obtained from the Git repository (via
git describe
) on which a build is based can now be
used in executables (--enable-git-version
). Tarballs include a text file with that information cached.
- Connectivity with the Android client got a lot more stable on Android 6+ where the system aggressively
suspends apps when the device is idle (Doze mode). We now use a custom scheduler that uses Android's
AlarmManager, which allows waking up the app even if the system put it to sleep. It does require adding
the app to the system's battery optimization whitelist, which is requested from the user automatically if
necessary. With this, NAT keepalives and rekeyings are now scheduled accurately, with little changes to the
battery usage (#3364).
There are some related changes that could be useful outside of the Android client:
- It's possible to use other clocks than
CLOCK_MONOTONIC
(e.g. CLOCK_BOOTTIME
) via TIME_CLOCK_ID
compile option if clock_gettime()
is available and pthread_condattr_setclock()
supports that
clock (Android's bionic C library e.g. only supports CLOCK_MONOTONIC
and CLOCK_REALTIME
while the
kernel would support CLOCK_BOOTTIME
via clock_gettime()
).
- When using a clock that includes time spent suspended, the new charon.keep_alive_dpd_margin option
may be used to trigger a DPD instead of a NAT keepalive if too much time has passed.
- Another option (charon.check_current_path) allows forcing a DPD exchange to check if the current path
still works whenever changes to interfaces/addresses are detected.