• A long-standing deadlock in the vici plugin has been fixed that could get triggered when multiple connections were initiated/terminated concurrently and control-log events were raised by the watcher_t component (#566).

• To potentially improve the performance and reduce the chances of a similar deadlock, the logging calls in the watcher_t component have been reduced and moved out of its internal mutex (53208b0ba4c17f6efc9df3007ecf9626471fd78d) and a change that caused the component to busy wait in some situations has also been reverted (30803f90eb3721db178822bca203fb14696cfced). Also related is a change that avoids verbose log calls during initiate/terminate() (d96d15b5882f5f67f6b22fdbbf956ec63cbc94ec, also see the developer notes below).

• In compliance with RFC 5280, CRLs now have to be signed by a certificate that either encodes the cRLSign keyUsage bit (even if it is a CA certificate), or is a CA certificate without a keyUsage extension. strongSwan encodes a keyUsage extension with cRLSign bit set in all CA certificates since 13 years. And before that it didn't encode the extension, so these certificates would also be accepted as CRL issuer in case they are still valid (7dc82dea34167c1585a95f38b532e11a67a53ee8).

• Support for optional CA labels in EST server URIs (e.g. https://www.example.org/.well-known/est/arbitraryLabel1/<operation>) was added to the pki --est and pki --estca commands (#1614).

• The pkcs7 and openssl plugins now support CMS-style signatures in PKCS#7 containers, which allows verifying RSA-PSS and ECDSA signatures (#1615).

• Fixed a regression in the server implementation of EAP-TLS when using TLS 1.2 or earlier that was introduced with 5.9.10 (#1613, 3d0d3f5d028a0c630f89cb4fec5b2cd5364f568b).

• The EAP-TLS client does now enforce that the TLS handshake is complete when using TLS 1.2 or earlier. It was possible to shortcut it by sending an early EAP-Success message. Note that this isn't a security issue as the server is authenticated at that point (db87087fae6b4d1761dfba4eae3bd4880f5d23ab).

• On Linux, the kernel-libipsec plugin can now optionally handle ESP packets without UDP encapsulation (uses RAW sockets, disabled by default, e3cb756dbf7bd2e7734103ecea599c1d9970baa4). The plugin and libipsec also gained support trap policies (23d20bbb96dde1f63f2a53e2dd099b2fb3908bda).

• The dhcp plugin uses an alternative method to determine the source address when sending unicast DHCP requests, which is not affected by interface filtering that might be employed for the IKE sockets (#1573).

• The selection of certificates and trust chains as initiator has been improved if the local trust chain is incomplete (i.e. the root CA certificate for the local certificate is not loaded) while a certificate request for a known but unrelated CA is received, which caused any local intermediate CA certificates not to get sent (efdcbd13cb65528a91867118521595ac22623654).

• ECDSA and EdDSA public keys are supported by the ipseckey plugin when parsing RFC 4025 IPSECKEY resource records (7be55adf051049aaf48d9f1d4fd69abe422bb7e9).

• The kernel-wfp plugin installs bypass policies also on the FWPM_SUBLAYER_IPSEC_TUNNEL sublayer, which is necessary to bypass tunnel mode SAs/policies (8c0a67f700c8feb9a00312b230a41352f9e1b124).

• The revocation plugin suppresses some log messages for cached OCSP responses (9e17a0ed88ee6c9c2c77fbb747e667a339819b49).

• To further improve handling of cached OCSP responses, stale responses are now replaced in-place in the certificate cache (47e8b21c76366dcdfb1064fb4e1fdb619e684684).

• Capabilities of a SCEP server are now correctly parsed by pki --scep and pki --scepca (#1607).

• When renewing a certificate via SCEP, the --dn argument is now optional and gets copied from the previous certificate. This is helpful in case the CA added RDNs the user might not be aware of to the issued certificate (5f8eb09dd665a242fbebd55e47a0080c2f983704, #1689).

• Fixed the fallback to the remote identity for mediated connections if no peer ID is configured (#1569, dd79253e2d3a2d2f61689305cc02c506e2a5f746).

• The log messages for the terminate() and rekey() commands have been improved to clarify what's happening if combined filters are used (e.g. with both --ike and --child passed, only matching CHILD_SAs will be affected but previously a separate log message indicated that IKE_SAs would get targeted as well, 5e46e101a6f1f7ab24549679b15d0ff2c98c3081).

• Fixed a crash when charon-svc is terminated (8f5c0c9ca926b9f936ada13f72f4b73756ecbc62).

• If IKEv1 SAs are reset during a reauthentication because of a timeout, the initiator SPI changes. CHILD_SAs are now correctly migrated to the new SPI (#1663).

• For developers:

  • Support for timeouts in the Python vici bindings has been improved so a default timeout that's configured on the socket won't be reset by vici.Transport.receive() and doesn't cause partial reads (#1562).
  • On Windows, the Python vici bindings now create a default TCP socket (00a75e332f293dc8d8e4750b2368e689a33fc10a).
  • The controller_t::initiate() and controller_t::terminate() methods now take the maximum log level for messages that are passed to the callback (if any). If controller_cb_empty() is passed as callback, LEVEL_SILENT should be used to avoid any useless calls to the callback.
  • Disabling logging at compile-time via reduced DEBUG_LEVEL should again be possible (7fa85ff379da8ffe5264c109723dd20f5f579821).

Refer to the 5.9.11 milestone for a list of all closed issues and pull requests.