Voor het beveiligen van verbindingen over openbare netwerken kunnen verschillende protocollen worden gebruikt, zoals het veel toegepaste ipsec. StrongSwan is een ipsec-implementatie voor Linux-systemen, waarvan de 5.0-vleugel zich richt op de 2.6- en 3.x-Linux-kernels. Ondersteuning voor ikev1, ikev2 en ipv6 is aanwezig, zoals op deze pagina na te lezen is. De ontwikkelaars hebben strongSwan 5.3.4 uitgebracht en van de volgende lijst met veranderingen voorzien:
- Fixed an authentication bypass vulnerability in the eap-mschapv2 plugin that was caused by insufficient verification of the internal state when handling EAP-MSCHAPv2 Success messages received by the client. This vulnerability has been registered as CVE-2015-8023. Please refer to our blog for details.
- The sha3 plugin implements the SHA3 Keccak-F1600 hash algorithm family. Within the strongSwan framework SHA3 is currently used for BLISS signatures only because the OIDs for other signature algorithms haven't been defined yet. Also the use of SHA3 for IKEv2 has not been standardized yet.
- The EAP-MSCHAPv2 username now replaces the identity of any previous EAP-Identity exchange (#1182).
- Fixed several issues with IKEv1 Phase 2 message handling (#1076, #1128, #1130, #1198).
- A bug with setting the source IP for IKE packets was fixed that caused problems with newer compilers (#1171).
- The ipsec stroke down-nb command is now actually non-blocking (#1191).
- Some VICI commands received updates: NAT information and virtual IPs are listed for IKE_SAs (04f22cdabc, bdb8b76515), IP address leases are optionally listed for pools defined via VICI (f4641f9e45).
- The file-logger now optionally logs the milliseconds within the current second (548b993488).
- Fetching CRLs in PEM format is now supported and using the curl plugin to fetch CRLs from file:// URIs has also been fixed (#1203).
- CRLs added via VICI are now properly added to the credential set (e5e352e631).
- IKEv2 NAT-D payloads are now created in a more static way, which ensures they stay the same when retrying to establish an IKE_SA (e.g. due to INVALID_KEY_PAYLOAD notifies, #1131).
- Fixed compress=yes (IPComp) with IPv6 and leftfirewall=yes (382f8a334a).
- Fixed a deadlock in duplicate checking for IKEv1 SAs (758b1caa0e, 1d528cfb8d).
- The del_policy method of kernel_ipsec_t now receives the same information originally passed to add_policy (a6e0f14fd2).
- The kernel-netlink plugin allows IPsec policies to replace shunt policies, which allows configuring matching type=drop policies along side auto=add connections.
- To debug custom plugins they can now optionally be loaded with RTLD_NOW so missing symbols are revealed immediately (via charon.dlopen_use_rtld_now). The same applies for custom IMVs/IMCs.
- The runtime for our regression tests has been reduced significantly (by about 75%).
- The Android app has been updated to use the Gradle build system.