strongSwan - Design by Margo Galas <galas (at) solnet (dot) ch>

Main Sponsors

secunet

codelabs

strongSwan 5.5.1 Released

We are happy to announce the release of strongSwan 5.5.1 which brings support for the NewHope post-quantum key exchange algorithm, simplified private key handling in swanctl and pki, configurable XFRM policy hashing thresholds, improved delta CRL handling, support for NetworkManager 1.2 and several other new features and fixes.


NewHope Key Exchange Algorithm

The newhope plugin implements the post-quantum NewHope key exchange algorithm proposed in their 2015 paper by Erdem Alkim, Léo Ducas, Thomas Pöppelmann and
Peter Schwabe.

Simplified Private Key Handling

The pki tool, with help of the pkcs1 or openssl plugins, can parse private keys in any of the supported formats without having to know the exact type. So instead of having to specify rsa or ecdsa explicitly the keyword priv may be used to indicate a private key of any type.

Similarly, swanctl can load any type of private key from the swanctl/private directory.

XFRM Policy Hashing Thresholds

XFRM policy hashing thresholds may be configured via strongswan.conf. This can significantly improve the performance on hosts where the number of flows exceeds the flow cache size of the Linux kernel. Policies covering more than a single address don't get hash-indexed by default, which results in wasting most of the cycles in xfrm_policy_lookup_bytype() and the called xfrm_policy_match(). Since Linux 3.18 the kernel can hash the first n-bit of a policy subnet to perform indexed lookups. With correctly chosen thresholds this can completely eliminate the performance impact of policy lookups.

Note: Due to a bug in Linux 3.19 through 4.7, the kernel crashes with a NULL pointer dereference if a socket policy (used by strongSwan to exempt IKE traffic from IPsec tunnels) is installed while hash thresholds are changed. See ac9759a532 for details and a workaround.

Improved Delta CRL Handling

Delta CRLs are now properly cached in-memory (and on disk) together with their base. In earlier releases the presence of a delta CRL might have required that the base be refetched every time. The serial number for delta CRLs generated by pki --signcrl is now based on the given base CRL again (was broken since 4.6.3).

When setting charon.cache_crls = yes in strongswan.conf the vici plugin (and the stroke plugin) saves regular, base and delta CRLs to disk. Fetched CRLs are now also cached if the checked certificate has been revoked.

Support for NetworkManager 1.2

The NetworkManager integration has been updated to support NM 1.2. Refer to the download page for updated versions of the NM applet/plugin.

The directory from which CA certificates are loaded if no certificate is configured in the GUI can now be configured via strongswan.conf using the new charon-nm.ca_dir setting.

Other Notable Fixes

  • By default, the "outbound" FWD policies, introduced with 5.5.0, are not installed anymore. They may be enabled via the policies_fwd_out setting in swanctl.conf/vici for a specific CHILD_SA if its traffic would otherwise get blocked by a drop policy.
  • IKE fragmentation is now enabled by default with the default fragment size set to 1280 bytes for both IP address families.
  • The VICI flush-certs command flushes certificates from the volatile certificate cache. Optionally the type of the certificates to be flushed (e.g. type = x509_crl) can be specified.
  • IKE and ESP/AH proposals configured as strings in ipsec.conf and swanctl.conf (or VICI) are now checked to avoid invalid proposals.
  • The libstrongswan crypto factory now offers the registration of Extended Output Functions (XOFs). Currently supported XOFs are SHAKE128 and SHAKE256 implemented by the sha3 plugin, ChaCHa20 implemented by the chapoly plugin and the more traditional MGF1 Mask Generation Functions based on the SHA-1, SHA-256 and SHA-512 hash algorithms implemented by the new mgf1 plugin.
  • The pki tool can handle RSASSA-PKCS1v1.5-with-SHA-3 signatures using the sha3 and gmp plugins.
  • libtpmtss: In the TSS2 API the function TeardownSocketTcti() was replaced by tss2_tcti_finalize().

Download Complete Changelog