diff options
Diffstat (limited to 'CHANGELOG')
-rw-r--r-- | CHANGELOG | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG new file mode 100644 index 000000000000..f7041712694e --- /dev/null +++ b/CHANGELOG @@ -0,0 +1,68 @@ +Added support for IKEv2 make-before-break reauthentication. By using a global +CHILD_SA reqid allocation mechanism, charon supports overlapping CHILD_SAs. +This allows the use of make-before-break instead of the previously supported +break-before-make reauthentication, avoiding connectivity gaps during that +procedure. As the new mechanism may fail with peers not supporting it (such +as any previous strongSwan release) it must be explicitly enabled using +the charon.make_before_break strongswan.conf option. + +Support for Signature Authentication in IKEv2 (RFC 7427) has been added. +This allows the use of stronger hash algorithms for public key authentication. + +By default, signature schemes are chosen based on the strength of the +signature key, but specific hash algorithms may be configured in leftauth. +Key types and hash algorithms specified in rightauth are now also checked +against IKEv2 signature schemes. If such constraints are used for certificate +chain validation in existing configurations, in particular with peers that +don't support RFC 7427, it may be necessary to disable this feature with the +charon.signature_authentication_constraints setting, because the signature +scheme used in classic IKEv2 public key authentication may not be strong +enough. + +The new connmark plugin allows a host to bind conntrack flows to a specific +CHILD_SA by applying and restoring the SA mark to conntrack entries. This +allows a peer to handle multiple transport mode connections coming over the +same NAT device for client-initiated flows (a common use case is to protect +L2TP/IPsec). See ikev2/host2host-transport-connmark for an example. + +The forecast plugin can forward broadcast and multicast messages between +connected clients and a LAN. For CHILD_SA using unique marks, it sets up +the required Netfilter rules and uses a multicast/broadcast listener that +forwards such messages to all connected clients. This plugin is designed for +Windows 7 IKEv2 clients, which announce their services over the tunnel if the +negotiated IPsec policy allows it. See ikev2/forecast for an example. + +For the vici plugin a Python Egg has been added to allow Python applications +to control or monitor the IKE daemon using the VICI interface, similar to the +existing ruby gem. The Python library has been contributed by Björn Schuberg. + +EAP server methods now can fulfill public key constraints, such as rightcert +or rightca. Additionally, public key and signature constraints can be +specified for EAP methods in the rightauth keyword. Currently the EAP-TLS and +EAP-TTLS methods provide verification details to constraints checking. + +Upgrade of the BLISS post-quantum signature algorithm to the improved BLISS-B +variant. Can be used in conjunction with the SHA256, SHA384 and SHA512 hash +algorithms with SHA512 being the default. + +The IF-IMV 1.4 interface now makes the IP address of the TNC access requestor +as seen by the TNC server available to all IMVs. This information can be +forwarded to policy enforcement points (e.g. firewalls or routers). + +The new mutual tnccs-20 plugin parameter activates mutual TNC measurements +in PB-TNC half-duplex mode between two endpoints over either a PT-EAP or +PT-TLS transport medium. + +SPIs in IKEv1 DELETE payloads are now compared to those of the current IKE SA. +This is required for interoperability with OpenBSD's isakmpd, which always uses the +latest IKE SA to delete other expired SAs. + +The files plugin provides a simple fetcher for file:// URIs (1735d80f38). + +Fixed CRL verification for PKIs that don't use SHA-1 hashes of the public key +as subjectKeyIdentifier or authorityKeyIdentifier (6133770db4). + +Route priorities are now considered when doing manual route lookups (6b57790270). + +Policies are now removed from the kernel before IPsec SAs, to avoid acquires +for untrapped policies (46188b0eb0). |