5.9.10
版本发布时间: 2023-03-02 21:00:09
strongswan/strongswan最新发布版本:5.9.14(2024-03-19 21:34:10)
-
Fixed a vulnerability related to certificate verification in TLS-based EAP methods that leads to an authentication bypass followed by an expired pointer dereference that results in a denial of service but possibly even remote code execution. This vulnerability has been registered as CVE-2023-26463. Please refer to our blog for details.
-
Added support for full packet hardware offload for IPsec SAs and policies, which has been introduced with the Linux 6.2 kernel, to the kernel-netlink plugin (#1462). Bypass policies for the IKE ports are automatically offloaded to devices that support this type of offloading.
-
TLS-based EAP methods use the key derivation specified in draft-ietf-emu-tls-eap-types (currently in the RFC Editor's publication queue) when used with TLS 1.3 (06abdf1d31f5cee7ee90611e2ee7f390b2a3c9a4).
-
The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by implementing the "protected success indication" (5401a74d3608be19a4a883c10d4bd89e73c6ee60). Similarly, the eap-peap plugin correctly initiates Phase 2 with TLS 1.3 also if
phase2_piggyback
is disabled (default) (8aa13a1797eb7472b763a9b8e60d906261c6b243). -
Routes via XFRM interfaces can now optionally be installed automatically by enabling the
charon.plugins.kernel-netlink.install_routes_xfrmi
option. Such routes are only installed if an interface with the ID referenced inif_id_out
exists when the corresponding CHILD_SA is installed. If the traffic selectors include the IKE traffic to the peer, special care is required (please refer to the docs for details). -
The NetworkManager backend
charon-nm
now uses XFRM interfaces instead of dummy TUN devices to avoid issues with name resolution if they are supported by the kernel (#1048). -
With the new
prefer
value for thechildless
setting, initiators will create a childless IKE_SA if the responder supports the extension (RFC 6023). As responder, it has the same effect asallow
. -
The
pki --req
command can encode extendedKeyUsage (EKU) flags in the PKCS#10 certificate signing request (CSR). -
The
pki --issue
command adopts EKU flags that are either directly encoded in CSRs or derived from an encoded profile string (msCertificateTypeExtension). With the--flag
option, these flags can either be overridden completely, or specific flags can be added and/or removed from the encoded set. -
When running on a Linux 6.2 kernel, the last use times of CHILD_SAs are determined by querying the IPsec SAs and not the policies (older kernels don't report the last use time per SA).
-
For
libcurl
with MultiSSL support, the curl plugin provides an option to select a specific SSL/TLS backend. -
The
swanctl --monitor-sa
command exits withECONNRESET
if the daemon closes the VICI connection. -
For developers:
- The default build of the Android app now relies on OpenSSL instead of the old BoringSSL version we previously used. A script to statically build
libcrypto
is provided in the repository (see the docs for details). - Existing enum name lists (e.g. for algorithm or notify payload identifiers) can now be extended from plugins (0de42047a98f831e8963cc352265db6a78bccc1b).
- Implementations of
kernel_ipsec_t
that support reporting the last use time of an SA viaquery_sa()
, should announce this via theKERNEL_SA_USE_TIME
kernel feature. -
libvici
provides a callback that's invoked if the connection is closed by the daemon, which may be useful when listening for events.
- The default build of the Android app now relies on OpenSSL instead of the old BoringSSL version we previously used. A script to statically build
Refer to the 5.9.10 milestone for a list of all closed issues and pull requests.
1、 strongswan-5.9.10.tar.bz2 4.54MB
2、 strongswan-5.9.10.tar.bz2.sig 659B
3、 strongswan-5.9.10.tar.gz 7.47MB
4、 strongswan-5.9.10.tar.gz.sig 659B