Cookies op Tweakers

Tweakers maakt gebruik van cookies, onder andere om de website te analyseren, het gebruiksgemak te vergroten en advertenties te tonen. Door gebruik te maken van deze website, of door op 'Ga verder' te klikken, geef je toestemming voor het gebruik van cookies. Wil je meer informatie over cookies en hoe ze worden gebruikt, bekijk dan ons cookiebeleid.

Meer informatie

Door , , 0 reacties
Bron: strongSwan

Voor het beveiligen van verbindingen over openbare netwerken kunnen verschillende protocollen worden gebruikt, zoals het veel toegepaste ipsec. StrongSwan is een ipsec-implementatie voor Linux-systemen die zich sinds de 4.2-tak richt op de huidige 2.6-Linux-kernel. Ondersteuning voor ikev1, ikev2 en ipv6 is aanwezig, zoals op deze pagina is na te lezen. De ontwikkelaars hebben de vierde developer-release van strongSwan 4.5.2 uitgebracht en voorzien van de volgende veranderingen sinds de vorige vermelding in de Meuktracker:

Version 4.5.2dr4:
  • Duncan Salerno contributed the eap-sim-pcsc plugin implementing a pcsc-lite based SIM card backend.
  • The eap-peap plugin implements the EAP PEAP protocol. Interoperates successfully with a FreeRADIUS server but not yet with a Windows 7 Agile VPN client.
Version 4.5.2dr3:
  • TNC server fixed to issue TNC_CONNECTION_STATE_HANDSHAKE message to IMVs.
  • Aligned order of PURGE_* flags with STROKE_PURGE_* keywords.
Version 4.5.2dr2:
  • fixed the encoding and parsing of X.509 certificate policy statements (CPS).
Version 4.5.2dr1:
  • The whitelist plugin for the IKEv2 daemon maintains an in-memory identity whitelist. Any connection attempt of peers not whitelisted will get rejected. The 'ipsec whitelist' utility provides a simple command line frontend for whitelist administration.
  • In the case that the peer config and child config don't have the same name (usually in SQL database defined connections), ipsec up|route starts|routes all associated child configs and ipsec up|route only starts|routes the specific child config.
Version 4.5.1:
  • Sansar Choinyambuu implemented the RFC 5793 Posture Broker Protocol (BP) compatible with Trusted Network Connect (TNC). The TNCCS 2.0 protocol requires the tnccs_20, tnc_imc and tnc_imv plugins but does not depend on the libtnc library. Any available IMV/IMC pairs conforming to the Trusted Computing Group's TNC-IF-IMV/IMC 1.2 interface specification can be loaded via /etc/tnc_config.
  • Re-implemented the TNCCS 1.1 protocol by using the tnc_imc and tnc_imv in place of the external libtnc library.
  • The tnccs_dynamic plugin loaded on a TNC server in addition to the tnccs_11 and tnccs_20 plugins, dynamically detects the IF-TNCCS protocol version used by a TNC client and invokes an instance of the corresponding protocol stack.
  • IKE and ESP proposals can now be stored in an SQL database using a new proposals table. The start_action field in the child_configs tables allows the automatic starting or routing of connections stored in an SQL database.
  • The new certificate_authorities and certificate_distribution_points tables make it possible to store CRL and OCSP Certificate Distribution points in an SQL database.
  • The new 'include' statement allows to recursively include other files in strongswan.conf. Existing sections and values are thereby extended and replaced, respectively.
  • Due to the changes in the parser for strongswan.conf, the configuration syntax for the attr plugin has changed. Previously, it was possible to specify multiple values of a specific attribute type by adding multiple key/value pairs with the same key (e.g. dns) to the plugins.attr section. Because values with the same key now replace previously defined values this is not possible anymore. As an alternative, multiple values can be specified by separating them with a comma (e.g. dns = 1.2.3.4, 2.3.4.5).
  • ipsec listalgs now appends (set in square brackets) to each crypto algorithm listed the plugin that registered the function.
  • Traffic Flow Confidentiality padding supported with Linux 2.6.38 can be used by the IKEv2 daemon. The ipsec.conf 'tfc' keyword pads all packets to a given boundary, the special value '%mtu' pads all packets to the path MTU.
  • The new af-alg plugin can use various crypto primitives of the Linux Crypto API using the AF_ALG interface introduced with 2.6.38. This removes the need for additional userland implementations of symmetric cipher, hash, hmac and xcbc algorithms.
  • The IKEv2 daemon supports the INITIAL_CONTACT notify as initiator and responder. The notify is sent when initiating configurations with a unique policy, set in ipsec.conf via the global 'uniqueids' option.
  • The conftest conformance testing framework enables the IKEv2 stack to perform many tests using a distinct tool and configuration frontend. Various hooks can alter reserved bits, flags, add custom notifies and proposals, reorder or drop messages and much more. It is enabled using the --enable-conftest ./configure switch.
  • The new libstrongswan constraints plugin provides advanced X.509 constraint checking. In additon to X.509 pathLen constraints, the plugin checks for nameConstraints and certificatePolicies, including policyMappings and policyConstraints. The x509 certificate plugin and the pki tool have been enhanced to support these extensions. The new left/rightcertpolicy ipsec.conf connection keywords take OIDs a peer certificate must have.
  • The left/rightauth ipsec.conf keywords accept values with a minimum strength for trustchain public keys in bits, such as rsa-2048 or ecdsa-256.
  • The revocation and x509 libstrongswan plugins and the pki tool gained basic support for delta CRLs.
Moderatie-faq Wijzig weergave

Reacties


Er zijn nog geen reacties geplaatst

Op dit item kan niet meer gereageerd worden.



Apple iOS 10 Google Pixel Apple iPhone 7 Sony PlayStation VR AMD Radeon RX 480 4GB Battlefield 1 Google Android Nougat Watch Dogs 2

© 1998 - 2016 de Persgroep Online Services B.V. Tweakers vormt samen met o.a. Autotrack en Carsom.nl de Persgroep Online Services B.V. Hosting door True