Release and vulnerability announcements for strongSwan

strongSwan 5.9.13 Released

We are happy to announce the release of strongSwan 5.9.13, which fixes a regression related to handling OCSP error responses that was introduced with 5.9.12, adds a new setting to specify the length of nonces in OCSP requests, and includes several other fixes.

Fix Handling of OCSP Error Responses

A refactoring in 5.9.12 caused a regression where OCSP error responses crashed the daemon when it tried to verify the issuer of such a response (they are not signed, so there isn't one).

Setting for Length of Nonces in OCSP Requests

One reason for OCSP error responses can be older OCSP servers that don't support the new default length of 32 bytes for nonce values in OCSP requests, which strongSwan uses since 5.9.12, as required by RFC 8954 for newer clients. For this reason, we added the  charon.ocsp_nonce_len setting that allows specifying the length of such nonce values. With older servers, reducing it might be necessary, e.g. to 16, which was the previous default.

Other Notable Features and Fixes

  • OCSP error responses are now dropped immediately instead of trying to verify a non-existent signature.
  • pki --ocsp --respond replies with an internal error OCSP response if no signer certificate is found (e.g. if the request is sent to the wrong server) instead of failing silently.
  • Added missing environment variables for cert-install-ssl cert-enroll script script.

Download Complete Changelog