strongSwan - Design by Margo Galas <galas (at) solnet (dot) ch>

Main Sponsors

secunet

secunet

revosec

Hochschule für Technik Rapperswil

strongSwan 5.8.2 Released

We are happy to announce the release of strongSwan 5.8.2, which adds support for identity-based CA constraints, can send intermediate CA certificates in hash-and-URL encoding and brings several other new features and fixes.


Identity-based CA Constraints

An identity-based CA constraint enforces that the certificate chain of the remote peer contains a CA certificate with a specific identity. They are supported via vici/swanctl.conf and are similar to the existing CA constraints but don't require that the CA certificate is locally installed, such as intermediate CA certificates received from the peers.

Wildcard identity matching (e.g. "..., OU=Research, CN=*") could also be used for the latter but this requires trust in the intermediate CAs to only issue certificates with legitimate subject DNs (e.g. the "Sales" CA must not issue certificates with "OU=Research"). With the new constraint that's not necessary as long as a path length basic constraint (--pathlen for pki --issue) prevents intermediate CAs from issuing further intermediate CAs.

Hash-and-URL Encoding for Intermediate CA Certificates

Intermediate CA certificates may now be sent in hash-and-URL encoding by configuring a base URL for the parent CA (swanctl/rw-hash-and-url-multi-level).

Other Notable Features and Fixes

  • Implemented NIST SP-800-90A Deterministic Random Bit Generator (DRBG) based on AES-CTR and SHA2-HMAC modes. Currently used by the gmp and ntru plugins.
  • Random nonces sent in an OCSP requests are now expected in the corresponding OCSP responses.
  • The kernel-netlink plugin ignores deprecated IPv6 addresses for MOBIKE. Whether temporary or permanent IPv6 addresses are included now depends on the charon.prefer_temporary_addrs setting.
  • Extended Sequence Numbers (ESN) are configured via PF_KEY if supported by the kernel.
  • The vici plugin uses unique section names for CHILD_SAs in child-updown events and it includes more information about the CHILD_SAs, such as traffic statistics, for individually deleted CHILD_SAs (in particular for IKEv1). 
  • Routing table IDs > 255 are supported for custom routes on Linux.
  • The D-Bus config file for charon-nm is now installed in $(datadir)/dbus-1/system.d instead of $(sysconfdir)/dbus-1/system.d.

Download Complete Changelog