NEWS: Some minor updates
This commit is contained in:
parent
2c7a4b0704
commit
0d0c8f7d3e
26
NEWS
26
NEWS
|
@ -14,21 +14,21 @@ strongswan-5.6.3
|
|||
- The issuer of fetched CRLs is now compared to the issuer of the checked
|
||||
certificate.
|
||||
|
||||
- CRL results other than revocation (e.g. a skipped check because the CRL
|
||||
couldn't be fetched) are now stored also for intermediate CA certificates and
|
||||
not only for end-entity certificates, so a strict CRL policy can be enforced
|
||||
in such cases.
|
||||
- CRL validation results other than revocation (e.g. a skipped check because
|
||||
the CRL couldn't be fetched) are now stored also for intermediate CA
|
||||
certificates and not only for end-entity certificates, so a strict CRL policy
|
||||
can be enforced in such cases.
|
||||
|
||||
- In compliance with RFC 4945, section 5.1.3.2, certificates used for IKE must
|
||||
now either not contain a keyUsage extension (like the ones generated by pki)
|
||||
or have at least one of the digitalSignature or nonReputiation bits set.
|
||||
or have at least one of the digitalSignature or nonRepudiation bits set.
|
||||
|
||||
- New options for vici/swanctl allow forcing the local termination of an IKE_SA.
|
||||
This might be useful in situations where it's known the other end is not
|
||||
reachable anymore or that it already removed the IKE_SA, so there is no point
|
||||
in retransmitting a DELETE and waiting for a response (it's also possible to
|
||||
wait for a certain amount of time, e.g. shorter than all retransmits, until
|
||||
destroying the SA).
|
||||
reachable anymore, or that it already removed the IKE_SA, so retransmitting a
|
||||
DELETE and waiting for a response would be pointless. Waiting only a certain
|
||||
amount of time for a response before destroying the IKE_SA is also possible
|
||||
by additionally specifying a timeout.
|
||||
|
||||
- When removing routes, the kernel-netlink plugin now checks if it tracks other
|
||||
routes for the same destination and replaces the installed route instead of
|
||||
|
@ -36,9 +36,9 @@ strongswan-5.6.3
|
|||
weren't replaced. This should allow using traps with virtual IPs on Linux.
|
||||
|
||||
- The dhcp plugin only sends the client identifier option if identity_lease is
|
||||
enabled. It also can send longer identities (up to 255 bytes instead of the
|
||||
previous 64 bytes). If a server address is configured, DHCP requests are now
|
||||
sent from port 67 instead of 68.
|
||||
enabled. It can also send identities of up to 255 bytes length, instead of
|
||||
the previous 64 bytes. If a server address is configured, DHCP requests are
|
||||
now sent from port 67 instead of 68 to avoid ICMP port unreachables.
|
||||
|
||||
- Roam events are now completely ignored for IKEv1 SAs.
|
||||
|
||||
|
@ -47,7 +47,7 @@ strongswan-5.6.3
|
|||
included in proposals to also propose the algorithm with a key length.
|
||||
|
||||
- Configuration of hardware offload of IPsec SAs is now more flexible and allows
|
||||
a new mode, which automatically uses it if the kernel and hardware support it.
|
||||
a new mode, which automatically uses it if the kernel and device support it.
|
||||
|
||||
- SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1.
|
||||
|
||||
|
|
Loading…
Reference in New Issue