Software-update: strongSwan 5.6.3

strongSwan logo (60 pix)Voor het beveiligen van verbindingen over openbare netwerken kunnen verschillende protocollen worden gebruikt, zoals het veel toegepaste ipsec. StrongSwan is een ipsec-implementatie voor Android-, Linux-, FreeBSD-, iOS- en macOS-systemen. Ondersteuning voor ikev1, ikev2 en ipv6 is aanwezig, zoals op deze pagina na te lezen is. De ontwikkelaars hebben strongSwan 5.6.3 uitgebracht met de volgende veranderingen:

Version 5.6.3
  • Fixed a DoS vulnerability in the IKEv2 key derivation if the openssl plugin is used in FIPS mode and HMAC-MD5 is negotiated as PRF. This vulnerability has been registered as CVE-2018-10811. Please refer to our blog for details.
  • Fixed a vulnerability in the stroke plugin, which did not check the received length before reading a message from the socket. Unless a group is configured, root privileges are required to access that socket, so in the default configuration this shouldn't be an issue. This vulnerability has been registered as CVE-2018-5388. Please refer to our blog for details.
  • CRLs that are not yet valid are now ignored to avoid problems in scenarios where expired certificates are removed from new CRLs and the clock on the host doing the revocation check is trailing behind that of the host issuing CRLs. Not doing this could result in accepting a revoked and expired certificate, if it's still valid according to the trailing clock but not contained anymore in not yet valid CRLs.
  • The issuer of fetched CRLs is now compared to the issuer of the checked certificate (#2608).
  • CRL validation results other than revocation (e.g. a skipped check because the CRL couldn't be fetched) are now stored also for intermediate CA certificates and not only for end-entity certificates, so a strict CRL policy can be enforced in such cases.
  • In compliance with RFC 4945, section 5.1.3.2, certificates used for IKE must now either not contain a keyUsage extension (like the ones generated by pki), or have at least one of the digitalSignature or nonRepudiation bits set.
  • New options for vici/swanctl allow forcing the local termination of an IKE_SA. This might be useful in situations where it's known the other end is not reachable anymore, or that it already removed the IKE_SA, so retransmitting a DELETE and waiting for a response would be pointless. Waiting only a certain amount of time for a response (i.e. shorter than all retransmits would be) before destroying the IKE_SA is also possible by additionally specifying a timeout in the forced termination request.
  • When removing routes, the kernel-netlink plugin now checks if it tracks other routes for the same destination and replaces the installed route instead of just removing it. Same during installation, where existing routes previously weren't replaced. This should allow using traps with virtual IPs on Linux (#2162).
  • The dhcp plugin now only sends the client identifier DHCP option if the identity_lease setting is enabled (7b660944b6). It can also send identities of up to 255 bytes length, instead of the previous 64 bytes (30e886fe3b, 0e5b94d038). If a server address is configured, DHCP requests are now sent from port 67 instead of 68 to avoid ICMP port unreachables (becf027cd9).
  • The handling of faulty INVALID_KE_PAYLOAD notifies (e.g. one containing a DH group that wasn't proposed) during CREATE_CHILD_SA exchanges has been improved (#2536).
  • Roam events are now completely ignored for IKEv1 SAs (there is no MOBIKE to handle such changes properly).
  • ChaCha20/Poly1305 is now correctly proposed without key length (#2614). For compatibility with older releases the chacha20poly1305compat keyword may be included in proposals to also propose the algorithm with a key length (c58434aeff).
  • Configuration of hardware offload of IPsec SAs is now more flexible and allows a new setting (auto), which automatically uses it if the kernel and device both support it. If hw_offload is set to yes and offloading is not supported, the CHILD_SA installation now fails.
  • The kernel-pfkey plugin optionally installs routes via internal interface (one with an IP in the local traffic selector). On FreeBSD, enabling this selects the correct source IP when sending packets from the gateway itself (e811659323).
  • SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1 (#2574).
  • The pki --verify tool may load CA certificates and CRLs from directories.
  • The IKE daemon now also switches to port 4500 if the remote port is not 500 (e.g. because the remote maps the response to a different port, as might happen on Azure), as long as the local port is 500 (85bfab621d).
  • Fixed an issue with DNS servers passed to NetworkManager in charon-nm (ee8c25516a).
  • Logged traffic selectors now always contain the protocol if either protocol or port are set (a36d8097ed).
  • Only the inbound SA/policy will be updated as reaction to IP address changes for rekeyed CHILD_SAs that are kept around.
  • The parser for strongswan.conf/swanctl.conf now accepts = characters in values without having to put the value in quotes (e.g. for Base64 encoded shared secrets).
  • Notes for developers:
    • trap_manager_t: Trap policies are now unistalled by peer/child name and not the reqid. No reqid is returned anymore when installing trap policies.
    • child_sa_t: A new state (CHILD_DELETED) is used for CHILD_SAs that have been deleted but not yet destroyed (after a rekeying CHILD_SAs are kept around for a while to process delayed packets). This way child_updown events are not triggered anymore for such SAs when an IKE_SA that has such CHILD_SAs assigned is deleted.
Versienummer 5.6.3
Releasestatus Final
Besturingssystemen Android, Linux, BSD, macOS, Solaris, iOS
Website strongSwan
Download https://www.strongswan.org/download.html
Licentietype Voorwaarden (GNU/BSD/etc.)

Door Japke Rosink

Meukposter

08-06-2018 • 12:14

1 Linkedin

Bron: strongSwan

Update-historie

Reacties (1)

1
1
1
0
0
0
Wijzig sortering
Neem Wireguard. Supereenvoudig op te zetten, en goede performance.

Op dit item kan niet meer gereageerd worden.

Tweakers maakt gebruik van cookies

Tweakers plaatst functionele en analytische cookies voor het functioneren van de website en het verbeteren van de website-ervaring. Deze cookies zijn noodzakelijk. Om op Tweakers relevantere advertenties te tonen en om ingesloten content van derden te tonen (bijvoorbeeld video's), vragen we je toestemming. Via ingesloten content kunnen derde partijen diensten leveren en verbeteren, bezoekersstatistieken bijhouden, gepersonaliseerde content tonen, gerichte advertenties tonen en gebruikersprofielen opbouwen. Hiervoor worden apparaatgegevens, IP-adres, geolocatie en surfgedrag vastgelegd.

Meer informatie vind je in ons cookiebeleid.

Sluiten

Toestemming beheren

Hieronder kun je per doeleinde of partij toestemming geven of intrekken. Meer informatie vind je in ons cookiebeleid.

Functioneel en analytisch

Deze cookies zijn noodzakelijk voor het functioneren van de website en het verbeteren van de website-ervaring. Klik op het informatie-icoon voor meer informatie. Meer details

janee

    Relevantere advertenties

    Dit beperkt het aantal keer dat dezelfde advertentie getoond wordt (frequency capping) en maakt het mogelijk om binnen Tweakers contextuele advertenties te tonen op basis van pagina's die je hebt bezocht. Meer details

    Tweakers genereert een willekeurige unieke code als identifier. Deze data wordt niet gedeeld met adverteerders of andere derde partijen en je kunt niet buiten Tweakers gevolgd worden. Indien je bent ingelogd, wordt deze identifier gekoppeld aan je account. Indien je niet bent ingelogd, wordt deze identifier gekoppeld aan je sessie die maximaal 4 maanden actief blijft. Je kunt deze toestemming te allen tijde intrekken.

    Ingesloten content van derden

    Deze cookies kunnen door derde partijen geplaatst worden via ingesloten content. Klik op het informatie-icoon voor meer informatie over de verwerkingsdoeleinden. Meer details

    janee