We are happy to announce the release of strongSwan 5.6.1 which removes deprecated algorithms from default proposals, supports RSASSA-PSS signatures, and brings several other new features and fixes.
Removal of Deprecated Algorithms
In compliance with RFC 8221 and RFC 8247 several algorithms were removed from the default ESP/AH and IKEv2 proposals, respectively. Removed from the default ESP/AH proposal were the 3DES and Blowfish encryption algorithms and the HMAC-MD5 integrity algorithm. From the IKEv2 default proposal (also the IKEv1 default proposal) the HMAC-MD5 integrity algorithm and the MODP-1024 Diffie-Hellman group were removed (the latter is significant for Windows clients in their default configuration).
These algorithms may still be used in custom proposals.
Support for RSASSA-PSS Signatures
Support for RSASSA-PSS signatures has been added. For compatibility with previous releases they are currently not used automatically, by default, to change that charon.rsa_pss may be enabled. To explicitly use or require such signatures during IKEv2 signature authentication (RFC 7427) ike:rsa/pss... authentication constraints may be used for specific connections (regardless of whether the strongswan.conf option above is enabled). Only the hash algorithm can be specified in such constraints, the MGF1 will be based on that hash and the salt length will equal the hash length (when verifying the salt length is not enforced). To enforce such signatures during PKI verification rsa/pss... authentication constraints may be used.
All pki commands that create certificates/CRLs can be made to sign with RSASSA-PSS instead of the classing PKCS#1 scheme with the
--rsa-padding pss option. As with signatures during authentication, only the hash algorithm is configurable (via
--digest option), the MGF1 will be based on that and the salt length will equal the hash length.
These signatures are supported by all RSA backends except pkcs11 (i.e. gmp, gcrypt, openssl). The gmp plugin requires the mgf1 plugin (enabled by default if gmp is enabled).
Note that RSASSA-PSS algorithm identifiers and parameters in keys (public keys in certificates or private keys in PKCS#8 files) are currently not used as constraints.
The sec-updater tool checks for security updates in dpkg-based repositories (e.g. Debian/Ubuntu) and sets the security flags in the IMV policy database accordingly. Additionally for each new package version a SWID tag for the given OS and HW architecture is created and stored in the database. Using the sec-updater.sh script template the lookup can be automated (e.g. via an hourly cron job).
IKE Event Counters via VICI
The IKE event counters, previously only available via ipsec listcounters command, may now also be queried and reset via vici and the new swanctl --counters command. They are collected and provided by the optional counters plugin (enabled by default for backwards compatibility if the stroke plugin is built).
Initiator SPI Reset for Restarted IKE SAs
When restarting an IKEv2 negotiation after receiving an
INVALID_KE_PAYLOAD notify (or due to other reasons like too many retransmits) a new initiator SPI is allocated. This prevents issues caused by retransmits for
Other Notable Features and Fixes
- A new timeout option for the systime-fix plugin stops periodic system time checks after a while and enforces a certificate verification, closing or reauthenticating all SAs with invalid certificates.
- Class attributes received in RADIUS Access-Accept messages may optionally be added to RADIUS accounting messages.
- Inbound marks may optionally be installed in the SA again (was removed with 5.5.2) by enabling the mark_in_sa option in swanctl.conf.
- Basic support for systemd sockets has been added, which may be used for privilege separation.
- No hard-coded default proposals are passed from starter to the stroke plugin anymore.
- A workaround for an issue with virtual IPs on macOS 10.13 (High Sierra) has been added.