New Feature Additions

• Support for the IKEv2 OCSP extensions (RFC 4806) has been added, which allows peers to request and send OCSP responses together with their certificate chain directly in IKEv2 (#2016). The OCSP responses for local certificates are currently retrieved via revocation plugin, either from the cache or fetched from an OCSP server (see the developer notes for details). The feature can be controlled via <conn>.ocsp setting in swanctl.conf. By default, OCSP responses are sent if the peer requests any and a response can be retrieved.

  If sending requests is enabled, the implementation generally sends an empty OCSP certificate request payload. Only if self-signed OCSP signer certificates are found locally will their public key's hash be added to the payload. Such certificates must either have the OCSPSigning extended key usage flag set, or be placed in the x509ocsp directory so that they are flagged when loaded.

• The Android app now supports managed configurations via enterprise mobility management (EMM) systems (#2005). Besides configuring global settings and VPN profiles (with settings similar to those supported in profile files, including certificates), this also provides management options for disabling certain features of the app (e.g. to prevent users from creating and/or importing custom profiles or to only display managed profiles).

• Added support for PSS padding for smartcard-based RSA signatures to the pkcs11 plugin, using either on-chip or external data hashing.

• Added keyid and certid handles to the pki --ocsp command so that keys and/or certificates can be stored on a smartcard or in a TPM 2.0 device (note that this may add quite a delay to generating OCSP responses).

Enhancements and Optimizations

• Validation of X.509 name constraints has been refactored to align with RFC 5280 (#2114). This fixes several limitations of the previous implementation. Name constraints are now correctly propagated from the root of the certificate chain so that intermediate CA certificates don't have to explicitly inherit the name constraints of their parents anymore. The latter previously prevented adding constraints in an intermediate CA certificate that's followed by another that doesn't contain any name constraints. This is perfectly fine as the set of constraints specified by the parent continue to apply to that intermediate CA certificate and the children it issues.

  Identities also don't have to match all name constraints of the same type anymore, which prevented actually encoding multiple constraints of the same type because e.g. for the permitted name constraints for example.org and example.com no acceptable certificates could be issued as any SAN with one domain would get rejected by the other constraint. In compliance with the RFC, matching a single constraint is now enough.

  Also resolved is an issue with name constraints for IP addresses (added with 5.9.12), which were previously only supported for a single level.

• The dhcp plugin has been ported to FreeBSD/macOS (#2047). The code for BPF handling has been refactored and is now shared between dhcp and farp plugin.

• The openssl plugin is now compatible to AWS-LC, a crypto library based on code from BoringSSL and OpenSSL (#1907).

• The identity enforced by the configuration was added to the message logged when identities don't match (#2088).

Fixes

• Overflows of unique identifiers (e.g. Netlink sequence numbers or reqids) are now handled gracefully when the daemon is running for a very long time without restart (#2062).
• Fail the installation of SAs on Linux if replay protection is disabled while extended sequence numbers (ESN) are enabled (#2117). This combination is currently not supported by the Linux kernel and strongSwan previously just installed the SA without ESN, causing the other end to drop packets if it was an implementation that didn't do this.

For Developers

• The optional ocsp() method of the cert_validator_t interface is used to retrieve an OCSP response for a local X.509 certificate when responding to an OCSP certificate request. It's currently only implemented by the revocation plugin, which uses the same code that's used when verifying remote certificates via OCSP.
• Our leak detective now implements and wraps malloc_usable_size(), which is used by systemd and the libraries it provides (e.g. nss-systemd) (#2045).
• The build.gradle file for the Android app now declares the NDK version and uses the default NDK invocation instead of the custom tasks that were used before (1cab544c759749a899b439acb4fae1fb58279db8).
• With the addition of support for managed configurations, several internals of the Android app have changed:
  • All VPN profiles now require a UUID as it's the only identifier used to access them.
  • When using Intents to start/stop profiles, the new name for the string extra that passes the ID is org.strongswan.android.VPN_PROFILE_UUID (the old one is still supported as fallback, though).
  • Profiles may be marked as read-only internally, which adds a label in the profile list and prevents users from deleting/editing/copying them (only the password may be changed in the GUI).
  • Profiles may come from different data sources (currently the database and managed configurations).
  • To access the app's database, a new class (DatabaseHelper) has been added, which is accessed via an instance on the Application sub-class.

Refer to the 5.9.14 milestone for a list of all closed issues and pull requests.