Minor Release


10 issues   (10 closed — 0 open)

Version 5.9.1

  • Remote attestation via TNC supports the SHA-256 based TPM 2.0 BIOS/EFI measurements introduced
    with the Linux 5.4 kernel. This includes support for the BIOS/EFI event log and variable sized PCR banks.
  • The tpm plugin supports SHA-3 and CMAC with TPM 2.0.
  • Nonces in OCSP responses are not enforced anymore (added with 5.8.2) and only validated if a nonce
    is actually contained (#3557).
  • Fixed an issue when only some fragments of a retransmitted IKEv2 message were received, which prevented
    processing a following fragmented message (non-fragmented messages were correctly processed, 6586f07162).
  • All remaining queued vici messages are now sent to subscribed clients during shutdown, which includes
    ike/child-updown events triggered when all established SAs are deleted (ef636316d2).
  • CHILD_SA IP addresses are now updated before installation of the IPsec SAs and policies to allow MOBIKE
    updates happening while retransmitting a CREATE_CHILD_SA request (#3164).
  • When looking for a route to the peer, the kernel-netlink plugin now ignores the current source address if it's
    deprecated. It also updates the flags associated with cached IP addresses and triggers a roam event if they
    change. So a MOBIKE update now switches to a new address if the current one gets deprecated (#3511).
  • The file and syslog loggers support logging the log level of each message after the subsystem (e.g.
    [IKE2], #3509).
  • charon-nm is now properly terminated during system shutdown (#3579).
  • Improved support for EdDSA keys in vici/swanctl, in particular, encrypted keys are now supported (#3586).
  • A new global strongswan.conf option allows sending the Cisco FlexVPN vendor ID to prevent Cisco
    devices from narrowing a traffic selectors (GH#180).
  • The openssl plugin accepts CRLs issued by non-CA certificates if they contain the cRLSign keyUsage
    flag (the x509 plugin already does this since 4.5.1).
  • Attributes in PKCS#7 containers, as used in SCEP, are now properly DER-encoded, i.e. sorted (#3589).
  • Failures during restarts of IKEv1 CHILD_SAs are now properly handled (12a3f3ca52).
  • Virtual IPv6 addresses and IPv6 source address pools are now supported in the load-tester plugin (#3595).
  • The Android client optionally supports IPv6 transport addresses for IKE and ESP (requires UDP encapsulation
    for IPv6 on the server, which Linux only supports since 5.8).
  • /dev/random on guest hosts in the testing environment is now mapped to the host's /dev/urandom
    via VirtIO RNG, which requires support in the guest kernel (CONFIG_HW_RANDOM_VIRTIO).
Issues by