Software-update: strongSwan 5.8.1

strongSwan logo (60 pix)Voor het beveiligen van verbindingen over openbare netwerken kunnen verschillende protocollen worden gebruikt, zoals het veel toegepaste ipsec. StrongSwan is een ipsec-implementatie voor Android-, Linux-, FreeBSD-, iOS- en macOS-systemen. Ondersteuning voor ikev1, ikev2 en ipv6 is aanwezig, zoals op deze pagina te lezen is. De ontwikkelaars hebben strongSwan 5.8.1 uitgebracht met de volgende veranderingen:

Version 5.8.1
  • RDNs in DNs of X.509 certificates can now optionally be matched less strict. The global strongswan.conf option charon.rdn_matching takes two alternative values that cause the matching algorithm to either ignore the order of matched RDNs (reordered) or additionally (relaxed) accept DNs that contain more RDNs than configured (unmatched RDNs are treated like wildcard matches).
  • The updown plugin now passes the same interface to the script that is also used for the automatically installed routes, that is, the interface over which the peer is reached instead of the interface on which the local address is found (#3095).
  • TPM 2.0 contexts are now protected by a mutex to prevent issues if multiple IKE_SAs use the same private key concurrently (4b25885025).
  • Do a rekey check after the third QM message was received (#3060).
  • If available, explicit_bzero() is now used as memwipe() instead of our own implementation.
  • An .editorconfig file has been added, mainly so Github shows files with proper indentation (68346b6962).
  • The internal certificate of the load-tester plugin has been modified so it can again be used as end-entity cert with 5.6.3 and later (#3139).
  • The maximum data length of received COOKIE notifies (64 bytes) is now enforced (#3160).
Version 5.8.0
  • The systemd service units have been renamed. The modern unit, which was called strongswan-swanctl, is now called strongswan (the previous name is configured as alias in the unit, for which a symlink is created when the unit is enabled). The legacy unit is now called strongswan-starter.
  • Support for XFRM interfaces (available since Linux 4.19) has been added, which are intended to replace VTI devices (they are similar but offer several advantages, for instance, they are not bound to an address or address family). IPsec SAs and policies are associated with such interfaces via interface IDs that can be configured in swanctl.conf (dynamic IDs may optionally be allocated for each SA and even direction). It's possible to use separate interfaces for in- and outbound traffic (or only use an interface in one direction and regular policies in the other). Interfaces may be created dynamically via updown/vici scripts, or statically before or after establishing the SAs. Routes must be added manually as needed (the daemon will not install any routes for outbound policies with an interface ID). When moving XFRM interfaces to other network namespaces they retain access to the SAs and policies installed in the original namespace, which allows providing IPsec tunnels for processes in other network namespaces without giving them access to the IPsec keys or IKE credentials. More information can be found on the page about route-based VPNs.
  • Initiation of childless IKE_SAs is supported (RFC 6023). If enabled and supported by the responder, no CHILD_SA is established during IKE_AUTH. Instead, all CHILD_SAs are created with CREATE_CHILD_SA exchanges. This allows using a separate DH exchange even for the first CHILD_SA, which is otherwise created during IKE_AUTH with keys derived from the IKE_SA's key material. The swanctl --initiate command may be used to initiate only the IKE_SA via --ike option if --child is omitted and the peer supports this extension.
  • The NetworkManager backend and plugin support IPv6.
  • The new wolfssl plugin is a wrapper around the wolfSSL crypto library. Thanks to Sean Parkinson of wolfSSL Inc. for the initial patch.
  • IKE SPIs may optionally be labeled via the charon.spi_mask|label options in strongswan.conf. This feature was extracted from charon-tkm, however, now applies the mask/label in network order.
  • The openssl plugin supports ChaCha20-Poly1305 when built with OpenSSL 1.1.0.
  • The PB-TNC finite state machine according to section 3.2 of RFC 5793 was not correctly implemented when sending either a CRETRY or SRETRY batch. These batches can only be sent in the "Decided" state and a CRETRY batch can immediately carry all messages usually transported by a CDATA batch. It is currently not possible to send a SRETRY batch since full-duplex mode for PT-TLS transport is not supported.
  • Instead of marking IPv6 virtual IPs as deprecated, the kernel-netlink plugin now uses address labels to avoid that such addresses are used for non-VPN traffic (00a953d090).
  • The agent plugin now creates sockets to the ssh/gpg-agent dynamically and does not keep them open, which otherwise might prevent the agent from getting terminated.
  • To avoid broadcast loops the forecast plugin now only reinjects packets that are marked or received from the configured interface.
  • UTF-8 encoded passwords are supported via EAP-MSCHAPv2, which internally uses an UTF-16LE encoding to calculate the NT hash (#3014).
  • Properly delete temporary drop policies (used when updating IP addresses of SAs) if manual priorities are used, which was broken since 5.6.2 (8e31d65730).
  • Avoid overwriting start_action when parsing the inactivity timeout in the vici plugin (#2954).
  • Fixed the automatic termination of reloaded vici connections with start_action=start, which was broken since 5.6.3 (71b22c250f).
  • The lookup for shared secrets for IKEv1 SAs via sql plugin should now work better (6ec9f68f32).
  • Fixed a race condition in the trap manager between installation and removal of a policy (69cbe2ca3f).
  • Compilation of the kernel-netlink plugin has been fixed on old kernels (< 2.6.39), which was caused by the HW offload changes (c7f579fa17).
  • The IPsec stack detection and module loading in starter has been removed (it wasn't enforced anyway and loading modules doesn't seem necessary, also KLIPS hasn't been supported for a long time and PF_KEY will eventually be removed from the Linux kernel, ba817d2917).
  • Several IKEv2 protocol details are now handled more strictly: Unrequested virtual IPs are ignored, CFG_REPLY payloads are ignored if no CFG_REQUEST payloads were sent, a USE_TRANSPORT_MODE notify received from the responder is checked against the local configuration.
  • The keys and certificates used by the scenarios in the testing environment are now generated dynamically. Running the testing/scripts/build-certs script after creating the base and root images uses the pki utility installed in the latter to create the keys and certificates for all the CAs and in some cases for individual scenarios. These credentials are stored in the source tree, not the image, so this has to be called only once even if the images are later rebuilt. The script automatically (re-)rebuilds the guest images as that generates fresh CRLs and signs the DNS zones. The only keys/certificates currently not generated are the very large ones used by the ikev2/rw-eap-tls-fragments scenario.
Versienummer 5.8.1
Releasestatus Final
Besturingssystemen Android, Linux, BSD, macOS, Solaris
Website strongSwan
Licentietype Voorwaarden (GNU/BSD/etc.)

Door Japke Rosink


10-09-2019 • 09:19

0 Linkedin

Bron: strongSwan



Wijzig sortering

Er zijn nog geen reacties geplaatst

Op dit item kan niet meer gereageerd worden.

Tweakers maakt gebruik van cookies

Tweakers plaatst functionele en analytische cookies voor het functioneren van de website en het verbeteren van de website-ervaring. Deze cookies zijn noodzakelijk. Om op Tweakers relevantere advertenties te tonen en om ingesloten content van derden te tonen (bijvoorbeeld video's), vragen we je toestemming. Via ingesloten content kunnen derde partijen diensten leveren en verbeteren, bezoekersstatistieken bijhouden, gepersonaliseerde content tonen, gerichte advertenties tonen en gebruikersprofielen opbouwen. Hiervoor worden apparaatgegevens, IP-adres, geolocatie en surfgedrag vastgelegd.

Meer informatie vind je in ons cookiebeleid.


Toestemming beheren

Hieronder kun je per doeleinde of partij toestemming geven of intrekken. Meer informatie vind je in ons cookiebeleid.

Functioneel en analytisch

Deze cookies zijn noodzakelijk voor het functioneren van de website en het verbeteren van de website-ervaring. Klik op het informatie-icoon voor meer informatie. Meer details


    Relevantere advertenties

    Dit beperkt het aantal keer dat dezelfde advertentie getoond wordt (frequency capping) en maakt het mogelijk om binnen Tweakers contextuele advertenties te tonen op basis van pagina's die je hebt bezocht. Meer details

    Tweakers genereert een willekeurige unieke code als identifier. Deze data wordt niet gedeeld met adverteerders of andere derde partijen en je kunt niet buiten Tweakers gevolgd worden. Indien je bent ingelogd, wordt deze identifier gekoppeld aan je account. Indien je niet bent ingelogd, wordt deze identifier gekoppeld aan je sessie die maximaal 4 maanden actief blijft. Je kunt deze toestemming te allen tijde intrekken.

    Ingesloten content van derden

    Deze cookies kunnen door derde partijen geplaatst worden via ingesloten content. Klik op het informatie-icoon voor meer informatie over de verwerkingsdoeleinden. Meer details