• Fixed a vulnerability related to certificate verification in TLS-based EAP methods that leads to an authentication bypass followed by an expired pointer dereference that results in a denial of service but possibly even remote code execution. This vulnerability has been registered as CVE-2023-26463. Please refer to our blog for details.

• Added support for full packet hardware offload for IPsec SAs and policies, which has been introduced with the Linux 6.2 kernel, to the kernel-netlink plugin (#1462). Bypass policies for the IKE ports are automatically offloaded to devices that support this type of offloading.

• TLS-based EAP methods use the key derivation specified in draft-ietf-emu-tls-eap-types (currently in the RFC Editor's publication queue) when used with TLS 1.3 (06abdf1d31f5cee7ee90611e2ee7f390b2a3c9a4).

• The eap-tls plugin properly supports TLS 1.3 according to RFC 9190, by implementing the "protected success indication" (5401a74d3608be19a4a883c10d4bd89e73c6ee60). Similarly, the eap-peap plugin correctly initiates Phase 2 with TLS 1.3 also if phase2_piggyback is disabled (default) (8aa13a1797eb7472b763a9b8e60d906261c6b243).

• Routes via XFRM interfaces can now optionally be installed automatically by enabling the charon.plugins.kernel-netlink.install_routes_xfrmi option. Such routes are only installed if an interface with the ID referenced in if_id_out exists when the corresponding CHILD_SA is installed. If the traffic selectors include the IKE traffic to the peer, special care is required (please refer to the docs for details).

• The NetworkManager backend charon-nm now uses XFRM interfaces instead of dummy TUN devices to avoid issues with name resolution if they are supported by the kernel (#1048).

• With the new prefer value for the childless setting, initiators will create a childless IKE_SA if the responder supports the extension (RFC 6023). As responder, it has the same effect as allow.

• The pki --req command can encode extendedKeyUsage (EKU) flags in the PKCS#10 certificate signing request (CSR).

• The pki --issue command adopts EKU flags that are either directly encoded in CSRs or derived from an encoded profile string (msCertificateTypeExtension). With the --flag option, these flags can either be overridden completely, or specific flags can be added and/or removed from the encoded set.

• When running on a Linux 6.2 kernel, the last use times of CHILD_SAs are determined by querying the IPsec SAs and not the policies (older kernels don't report the last use time per SA).

• For libcurl with MultiSSL support, the curl plugin provides an option to select a specific SSL/TLS backend.

• The swanctl --monitor-sa command exits with ECONNRESET if the daemon closes the VICI connection.

• For developers:

  • The default build of the Android app now relies on OpenSSL instead of the old BoringSSL version we previously used. A script to statically build libcrypto is provided in the repository (see the docs for details).
  • Existing enum name lists (e.g. for algorithm or notify payload identifiers) can now be extended from plugins (0de42047a98f831e8963cc352265db6a78bccc1b).
  • Implementations of kernel_ipsec_t that support reporting the last use time of an SA via query_sa(), should announce this via the KERNEL_SA_USE_TIME kernel feature.
  • libvici provides a callback that's invoked if the connection is closed by the daemon, which may be useful when listening for events.

Refer to the 5.9.10 milestone for a list of all closed issues and pull requests.