strongSwan - Design by Margo Galas <galas (at) solnet (dot) ch>

Main Sponsors

secunet

Hochschule für Technik Rapperswil

strongSwan 5.9.1 Released

We are happy to announce the release of strongSwan 5.9.1, which supports TPM 2.0 BIOS/EFI measurements and brings several other new features and fixes.


Support for TPM 2.0 BIOS/EFI Measurements

Remote attestation via TNC supports the SHA-256 based TPM 2.0 BIOS/EFI measurements introduced with the Linux 5.4 kernel. This includes support for the BIOS/EFI event log and variable sized PCR banks. The tpm plugin also supports SHA-3 and CMAC with TPM 2.0.

Other Notable Features and Fixes

  • The file and syslog loggers support logging the log level of each message after the subsystem (e.g.[IKE2]).
  • A new global strongswan.conf option allows sending the Cisco FlexVPN vendor ID to prevent Cisco devices from narrowing a 0.0.0.0/0 traffic selectors.
  • Improved support for EdDSA keys in vici/swanctl, in particular, encrypted keys are now supported.
  • The openssl plugin accepts CRLs issued by non-CA certificates if they contain the cRLSign keyUsage flag.
  • All remaining queued vici messages are now sent to subscribed clients during shutdown.
  • Nonces in OCSP responses are not enforced anymore and only validated if a nonce is actually contained.
  • Fixed an issue when only some fragments of a retransmitted IKEv2 message were received, which prevented processing a following fragmented message.
  • CHILD_SA IP addresses are updated before installation of the IPsec SAs and policies to allow MOBIKE updates while retransmitting a CREATE_CHILD_SA request.
  • When looking for a route to the peer, the kernel-netlink plugin now ignores the current source address if it's deprecated.
  • charon-nm is now properly terminated during system shutdown.

Download Complete Changelog