- Remote attestation via TNC supports the SHA-256 based TPM 2.0 BIOS/EFI measurements introduced
with the Linux 5.4 kernel. This includes support for the BIOS/EFI event log and variable sized PCR banks.
- The tpm plugin supports SHA-3 and CMAC with TPM 2.0.
- Nonces in OCSP responses are not enforced anymore (added with 5.8.2) and only validated if a nonce
is actually contained (#3557).
- Fixed an issue when only some fragments of a retransmitted IKEv2 message were received, which prevented
processing a following fragmented message (non-fragmented messages were correctly processed, 6586f07162).
- All remaining queued vici messages are now sent to subscribed clients during shutdown, which includes
ike/child-updown events triggered when all established SAs are deleted (ef636316d2).
- CHILD_SA IP addresses are now updated before installation of the IPsec SAs and policies to allow MOBIKE
updates happening while retransmitting a CREATE_CHILD_SA request (#3164).
- When looking for a route to the peer, the kernel-netlink plugin now ignores the current source address if it's
deprecated. It also updates the flags associated with cached IP addresses and triggers a roam event if they
change. So a MOBIKE update now switches to a new address if the current one gets deprecated (#3511).
- The file and syslog loggers support logging the log level of each message after the subsystem (e.g.
- Improved support for EdDSA keys in vici/swanctl, in particular, encrypted keys are now supported (#3586).
- A new global strongswan.conf option allows sending the Cisco FlexVPN vendor ID to prevent Cisco
devices from narrowing a 0.0.0.0/0 traffic selectors (GH#180).
- The openssl plugin accepts CRLs issued by non-CA certificates if they contain the cRLSign keyUsage
flag (the x509 plugin already does this since 4.5.1).
- Attributes in PKCS#7 containers, as used in SCEP, are now properly DER-encoded, i.e. sorted (#3589).
- Failures during restarts of IKEv1 CHILD_SAs are now properly handled (12a3f3ca52).
- Virtual IPv6 addresses and IPv6 source address pools are now supported in the load-tester plugin (#3595).
- The Android client optionally supports IPv6 transport addresses for IKE and ESP (requires UDP encapsulation
for IPv6 on the server, which Linux only supports since 5.8).
- The testing environment is now based on Debian 10 (buster) by default.
/dev/randomon guest hosts in the testing environment is now mapped to the host's
via VirtIO RNG, which requires support in the guest kernel (