diff --git a/NEWS b/NEWS index 2126ca89c..18f28b81c 100644 --- a/NEWS +++ b/NEWS @@ -14,21 +14,21 @@ strongswan-5.6.3 - The issuer of fetched CRLs is now compared to the issuer of the checked certificate. -- CRL results other than revocation (e.g. a skipped check because the CRL - couldn't be fetched) are now stored also for intermediate CA certificates and - not only for end-entity certificates, so a strict CRL policy can be enforced - in such cases. +- CRL validation results other than revocation (e.g. a skipped check because + the CRL couldn't be fetched) are now stored also for intermediate CA + certificates and not only for end-entity certificates, so a strict CRL policy + can be enforced in such cases. - In compliance with RFC 4945, section 5.1.3.2, certificates used for IKE must now either not contain a keyUsage extension (like the ones generated by pki) - or have at least one of the digitalSignature or nonReputiation bits set. + or have at least one of the digitalSignature or nonRepudiation bits set. - New options for vici/swanctl allow forcing the local termination of an IKE_SA. This might be useful in situations where it's known the other end is not - reachable anymore or that it already removed the IKE_SA, so there is no point - in retransmitting a DELETE and waiting for a response (it's also possible to - wait for a certain amount of time, e.g. shorter than all retransmits, until - destroying the SA). + reachable anymore, or that it already removed the IKE_SA, so retransmitting a + DELETE and waiting for a response would be pointless. Waiting only a certain + amount of time for a response before destroying the IKE_SA is also possible + by additionally specifying a timeout. - When removing routes, the kernel-netlink plugin now checks if it tracks other routes for the same destination and replaces the installed route instead of @@ -36,9 +36,9 @@ strongswan-5.6.3 weren't replaced. This should allow using traps with virtual IPs on Linux. - The dhcp plugin only sends the client identifier option if identity_lease is - enabled. It also can send longer identities (up to 255 bytes instead of the - previous 64 bytes). If a server address is configured, DHCP requests are now - sent from port 67 instead of 68. + enabled. It can also send identities of up to 255 bytes length, instead of + the previous 64 bytes. If a server address is configured, DHCP requests are + now sent from port 67 instead of 68 to avoid ICMP port unreachables. - Roam events are now completely ignored for IKEv1 SAs. @@ -47,7 +47,7 @@ strongswan-5.6.3 included in proposals to also propose the algorithm with a key length. - Configuration of hardware offload of IPsec SAs is now more flexible and allows - a new mode, which automatically uses it if the kernel and hardware support it. + a new mode, which automatically uses it if the kernel and device support it. - SHA-2 based PRFs are supported in PKCS#8 files as generated by OpenSSL 1.1.