Voor het beveiligen van verbindingen over openbare netwerken kunnen verschillende protocollen worden gebruikt, zoals het veel toegepaste ipsec. StrongSwan is een ipsec-implementatie voor Linux-systemen en richt zich op de huidige 2.6- en 3.x-Linux-kernels. Ondersteuning voor ikev1, ikev2 en ipv6 is aanwezig, zoals op deze pagina is na te lezen. De ontwikkelaars hebben de eerste developer-release van strongSwan 4.6.3 uitgebracht voorzien van de volgende veranderingen:
- The tnc-pdp plugin implements a RADIUS server interface allowing a strongSwan TNC server to act as a Policy Decision Point.
- Added infrastructure to listen to RADIUS Dynamic Authorization Extension requests.
- Added support for untruncated MD5 and SHA1 HMACs in ESP as used in RFC 4595.
- Fully implemented the "TCG Attestation PTS Protocol: Binding to IF-M" standard (TLV-based messages only). TPM-based remote attestation of Linux IMA (Integrity Measurement Architecture) or Intel TBOOT possible. Measurement reference values are automatically stored in an SQLite database that can be managed using the new ipsec attest command line tool.
- Upgraded the TCG IF-IMC and IF-IMV C API to the upcoming version 1.3 which supports IF-TNCCS 2.0 long message types, the exclusive flags and multiple IMC/IMV IDs. Both the TNC Client and Server as well as the "Test", "Scanner", and "Attestation" IMC/IMV pairs were updated.
- The EAP-RADIUS authentication backend supports RADIUS accounting. It sends start/stop messages containing Username, Framed-IP and Input/Output-Octets attributes and has been tested against FreeRADIUS and Microsoft NPS.
- Added support for PKCS#8 encoded private keys via the libstrongswan pkcs8 plugin. This is the default format used by some OpenSSL tools since version 1.0.0 (e.g. openssl req with -keyout).
- Added session resumption support to the strongSwan TLS stack.
- The maximum number of stroke messages concurrently handled by the charon daemon is now limited to avoid clogging the thread pool with potentially blocking jobs. How many messages are handled concurrently can be configured with the charon.plugins.stroke.max_concurrent option in strongswan.conf.
- For Android builds the binaries to be installed on the final system have to be added to PRODUCT_PACKAGES in build/target/product/core.mk. Dependencies such as libraries are automatically installed. See the comments in the top-level Android.mk.
- Debug output for low-level encoding/decoding (X.509, ASN.1 etc.) are now logged in a new ASN log group.
- The native thread ID is logged in the LIB log group with log level 2 when a thread is created.
- Because of changing checksums before and after installation which caused the integrity tests to fail we avoided directly linking libsimaka, libtls and libtnccs to those libcharon plugins which make use of these dynamic libraries. Instead we linked the libraries to the charon daemon. Unfortunately Ubuntu 11.10 activated the --as-needed ld option which discards explicit links to dynamic libraries that are not actually used by the charon daemon itself, thus causing failures during the loading of the plugins which depend on these libraries for resolving external symbols.
- Therefore our approach of computing integrity checksums for plugins had to be changed radically by moving the hash generation from the compilation to the post-installation phase.
- The new libstrongswan certexpire plugin collects expiration information of all used certificates and exports them to CSV files. It either directly exports them or uses cron style scheduling for batch exports.
- starter passes unresolved hostnames to charon, allowing it to do name resolution not before the connection attempt. This is especially useful with connections between hosts using dynamic IP addresses. Thanks to Mirko Parthey for the initial patch.
- The android plugin can now be used without the Android frontend patch and provides DNS server registration and logging to logcat.
- Pluto and starter (plus stroke and whack) have been ported to Android. With starter and stroke the IKEv2 daemon charon can now be configured via ipsec.conf on Android.
- Support for ECDSA private and public key operations has been added to the pkcs11 plugin. The plugin now also provides DH and ECDH via PKCS#11 and can use tokens as random number generators (RNG). By default only private key operations are enabled, more advanced features have to be enabled by their option in strongswan.conf. This also applies to public key operations (even for keys not stored on the token) which were enabled by default before.
- The libstrongswan plugin system now supports detailed plugin dependencies. Many plugins have been extended to export their capabilities and requirements. This allows the plugin loader to resolve plugin loading order automatically, and in future releases, to dynamically load the required features on demand. Existing third party plugins are source (but not binary) compatible if they properly initialize the new get_features() plugin function to NULL.
- The tnc-ifmap plugin implements a TNC IF-MAP 2.0 client which can deliver metadata about IKE_SAs via a SOAP interface to a MAP server. The tnc-ifmap plugin requires the Apache Axis2/C library.
- Remote attestation effected by the TCG Platform Trust Service (PTS) can be transferred via the TNC IF-M 1.0 protocol (RFC 5792 PA-TNC) to a strongSwan TNC server. Currently remote file measurements are supported with full TPM support expected for the 4.6.1 release.