strongSwan - Design by Margo Galas <galas (at) solnet (dot) ch>

Main Sponsors

secunet

Hochschule für Technik Rapperswil

strongSwan 5.9.2 Released

We are happy to announce the release of strongSwan 5.9.2, which supports remote attestation of the complete boot phase, adds experimental support for TLS 1.3 and brings several other new features and fixes.


Remote Attestation of Complete Boot Phase

Together with a Linux 5.8 kernel supporting the IMA measurement of the GRUB bootloader and the Linux kernel, the strongSwan Attestation IMC allows to do remote attestation of the complete boot phase. A recent TPM 2.0 device with a SHA-256 PCR bank is required, so that both BIOS and IMA file measurements are based on SHA-256 hashes.

TLS 1.3 and other TLS Improvements

Our own TLS library (libtls) that we use for EAP-TLS, EAP-TTLS, EAP-PEAP and PT-TLS gained experimental support for TLS 1.3. Thanks to Méline Sieber (client) and Pascal Knecht (client and server) for their work on this.

The use of TLS 1.3 with the above EAP methods is not yet standardized. There are currently two Internet-Drafts (here and here) being developed to remedy this (see 121ac4b9e3 for details). But for this reason, the default maximum version is currently set to TLS 1.2, which is now also the default minimum version (both are configurable via strongswan.conf). However, the TNC test scenarios using PT-TLS transport already use TLS 1.3.

Several improvements for libtls also affect older TLS versions. For instance, we added support for ECDH with Curve25519/448 (DH groups may also be configured now), for EdDSA keys and certificates and for RSA-PSS signatures. Support for old and weak cipher suites has been removed (e.g. with 3DES and MD5) as well as signature schemes with SHA-1. 

Other Notable Features and Fixes

  • The listener_t::ike_update event is now also called for MOBIKE updates. Its signature has changed so we only have to call it once if both addresses (and/or ports) have changed (e.g. for an address family switch). The event is also exposed via vici.
  • The farp plugin has been ported to macOS and FreeBSD. Thanks to Dan James for working on this.
  • To fix DNS server installation with systemd-resolved, charon-nm now creates a dummy TUN device again.
  • The botan plugin can use rng_t implementations provided by other plugins when generating keys etc. if the Botan library supports it.
  • Simple glob patterns (e.g. include conf.d/*.conf) now also work on Windows. Handling of forward slashes in paths on Windows has also been improved.
  • The abbreviations for the surname and serial number RDNs in ASN.1 distinguished names have been changed to align with RFC 4519: The abbreviation for surname is now SN (was S before), which was previously used for serial number that can now be specified as serialNumber only.

Download Complete Changelog