strongSwan - Design by Margo Galas <galas (at) solnet (dot) ch>

Main Sponsors

secunet

secunet

revosec

Hochschule für Technik Rapperswil

strongSwan 5.9.0 Released

We are happy to announce the release of strongSwan 5.9.0, which prefers AES-GCM for ESP, comes with several updates for the NetworkManager plugin/backend and the VICI plugin, and brings several other new features and fixes.


AES-GCM Preferred for ESP

We prefer AEAD algorithms for ESP and therefore put AES-GCM in a default AEAD proposal in front of the existing default proposal.

NetworkManager Plugin/Backend Updates

Password entry for private keys in the NetworkManager plugin have been fixed, the height has been reduced by using tabs for options/proposals, and the AppStream metadata has been migrated from appdata to metainfo.

The NM backend (charon-nm) now clears cached credentials when a connection is terminated, the DPD and close action are both set to restart, and custom remote traffic selectors can be configured via remote-ts option (no GUI support, so only via nmcli or config file). 

VICI-Plugin Updates

The vici plugin stores all CA certificates in one place, which avoids issues with unloading authority sections or clearing all credentials. When unloading a connection with start_action=start, any related IKE_SAs without children are now terminated (including those in CONNECTING state). Connections are now stored in a hashtable, which makes managing high numbers of connections faster. Our hashtable implementation was changed for this so it maintains insertion order. The default maximum size for VICI messages (512 KiB) can be changed via compile option.

Other Notable Features and Fixes

  • If a connection fails after getting redirected, we now restart connecting to the original host, not the one redirected to.
  • The pkcs11 plugin falls back to hashing data for PKCS#1 v1.5 RSA signatures in software if signature mechanisms with hashing (e.g. CKM_SHA256_RSA_PKCS) are not supported.
  • The owner/group of the log file opened by the file logger (e.g. via charon.filelog) is now set so the daemon can reopen it if the config is reloaded and it doesn't run as root.
  • The wolfssl plugin (when used with wolfSSL 4.4.0+) supports x448 Diffie-Hellman and Ed448 keys.

Download Complete Changelog