X.509 certificate trust path verification

2006-07-14 13:21:19 +00:00 · 2006-07-14 13:21:19 +00:00 · 623d3dcf78
parent a9ae2c01ed
commit 623d3dcf78
1 changed files with 8 additions and 3 deletions
--- a/11
+++ b/11
@ -1,15 +1,20 @@
 strongswan-4.0.2
 ----------------

- Added Dead Peer Detection (DPD) which checks liveliness of remote peer if no
-  IKE or ESP traffic is received. DPD is currently hardcoded (dpdaction=clear,
-  dpddelay=60s).
+- Full X.509 certificate trust chain verification has been implemented.
+  End entity certificates can be exchanged via CERT payloads. The current
+  default is leftsendcert=always, since CERTREQ payloads are not supported
+  yet. Optional CRLs must be imported locally into /etc/ipsec.d/crls.

 - Added support for leftprotoport/rightprotoport parameters in IKEv2. IKEv2 
  would offer more possibilities for traffic selection, but the Linux kernel
  currently does not support it. That's why we stick with these simple 
  ipsec.conf rules for now.

+- Added Dead Peer Detection (DPD) which checks liveliness of remote peer if no
+  IKE or ESP traffic is received. DPD is currently hardcoded (dpdaction=clear,
+  dpddelay=60s).
+
 - Initial NAT traversal support in IKEv2. Charon includes NAT detection
  notify payloads to detect NAT routers between the peers. It switches
  to port 4500, uses UDP encapsulated ESP packets, handles peer address