Cookies op Tweakers

Tweakers is onderdeel van DPG Media en maakt gebruik van cookies, JavaScript en vergelijkbare technologie om je onder andere een optimale gebruikerservaring te bieden. Ook kan Tweakers hierdoor het gedrag van bezoekers vastleggen en analyseren. Door gebruik te maken van deze website, of door op 'Cookies accepteren' te klikken, geef je toestemming voor het gebruik van cookies. Wil je meer informatie over cookies en hoe ze worden gebruikt? Bekijk dan ons cookiebeleid.

Meer informatie

Software-update: strongSwan 5.7.0

strongSwan logo (60 pix)Voor het beveiligen van verbindingen over openbare netwerken kunnen verschillende protocollen worden gebruikt, zoals het veel toegepaste ipsec. StrongSwan is een ipsec-implementatie voor Android-, Linux-, FreeBSD-, iOS- en macOS-systemen. Ondersteuning voor ikev1, ikev2 en ipv6 is aanwezig, zoals op deze pagina na te lezen is. De ontwikkelaars hebben strongSwan 5.7.0 uitgebracht met de volgende veranderingen:

Version 5.7.0
  • Fixes a potential authorization bypass vulnerability in the gmp plugin that was caused by a too lenient verification of PKCS#1 v1.5 signatures. Several flaws could be exploited by a Bleichenbacher-style attack to forge signatures for low-exponent keys (i.e. with e=3).
    CVE-2018-16151 has been assigned to the problem of accepting random bytes after the OID of the hash function in such signatures, and CVE-2018-16152 has been assigned to the issue of not verifying that the parameters in the ASN.1 algorithmIdentitifer structure is empty. Other flaws that don't lead to a vulnerability directly (e.g. not checking for at least 8 bytes of padding) have no separate CVE assigned. Please refer to our blog for details.
  • Dots are not allowed anymore in section names in swanctl.conf and strongswan.conf. This mainly affects the configuration of file loggers. If the path for such a log file contains dots it now has to be configured in the new path setting within the arbitrarily renamed subsection in the filelog section.
  • Sections in swanctl.conf and strongswan.conf may now reference other sections. All settings and subsections from such a section are inherited. This allows to simplify configs as redundant information has only to be specified once and may then be included in other sections (see strongswan.conf for an example).
  • The originally selected IKE config (based on the IPs and IKE version) can now change if no matching algorithm proposal is found. This way the order of the configs doesn't matter that much anymore and it's easily possible to specify separate configs for clients that require weaker algorithms (instead of having to also add them in other configs that might be selected).
  • Support for Postquantum Preshared Keys for IKEv2 (draft-ietf-ipsecme-qr-ikev2) has been added. For an example refer to the swanctl/rw-cert-ppk scenario (or with EAP, or PSK authentication).
  • The new botan plugin is a wrapper around the Botan C++ crypto library. It requires a fairly recent build from Botan's master branch (or the upcoming 2.8.0 release). Thanks to René Korthaus and his team from Rohde & Schwarz Cybersecurity for the initial patch and to Jack Lloyd for quickly adding missing functions to Botan's FFI (C89) interface.
  • Implementation of RFC 8412 "Software Inventory Message and Attributes (SWIMA) for PA-TNC". SWIMA subscription option sets CLOSE_WRITE trigger on apt history.log file resulting in a ClientRetry PB-TNC batch to initialize a new measurement cycle. The new imv/imc-swima plugins replace the previous imv/imc-swid plugins, which were removed.
  • Added support for fuzzing the PA-TNC (RFC 5792) and PB-TNC (RFC 5793) NEA protocols on Google's OSS-Fuzz infrastructure.
  • Support for version 2 of Intel's TPM2-TSS TGC Software Stack. The presence of the in-kernel /dev/tpmrm0 resource manager is automatically detected.
  • The pki tool accepts a xmppAddr otherName as a subjectAlternativeName using the syntax --san xmppaddr:#&060;jid>.
  • swanctl.conf supports the configuration of marks the in- and/or outbound SA should apply to packets after processing on Linux. Configuring such a mark for outbound SAs requires at least a 4.14 kernel. The ability to set a mask and configuring a mark/mask for inbound SAs will be added with the upcoming 4.19 kernel.
  • New options in swanctl.conf allow configuring how/whether DF, ECN and DS fields in the IP headers are copied during IPsec processing. Controlling this is currently only possible on Linux.
  • The handling of sequence numbers in IKEv1 DPDs has been improved (#2714).
  • To avoid conflicts, the dhcp plugin now only uses the DHCP server port if explicitly configured.
Versienummer 5.7.0
Releasestatus Final
Besturingssystemen Android, Linux, BSD, macOS, Solaris, iOS
Website strongSwan
Licentietype Voorwaarden (GNU/BSD/etc.)

Door Japke Rosink


01-10-2018 • 09:40

0 Linkedin

Bron: strongSwan



Er zijn nog geen reacties geplaatst

Op dit item kan niet meer gereageerd worden.

Nintendo Switch (OLED model) Apple iPhone 13 LG G1 Google Pixel 6 Call of Duty: Vanguard Samsung Galaxy S21 5G Apple iPad Pro (2021) 11" Wi-Fi, 8GB ram Nintendo Switch Lite

Tweakers vormt samen met Hardware Info, AutoTrack,, Nationale Vacaturebank, Intermediair en Independer DPG Online Services B.V.
Alle rechten voorbehouden © 1998 - 2022 Hosting door True