From 623d3dcf78c0d96e44dbf2867b02acf10e51a812 Mon Sep 17 00:00:00 2001
From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Fri, 14 Jul 2006 13:21:19 +0000
Subject: [PATCH] X.509 certificate trust path verification

---
 NEWS | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index 3d5af95db..d0125f1bd 100644
--- a/NEWS
+++ b/NEWS
@@ -1,15 +1,20 @@
 strongswan-4.0.2
 ----------------
 
-- Added Dead Peer Detection (DPD) which checks liveliness of remote peer if no
-  IKE or ESP traffic is received. DPD is currently hardcoded (dpdaction=clear,
-  dpddelay=60s).
+- Full X.509 certificate trust chain verification has been implemented.
+  End entity certificates can be exchanged via CERT payloads. The current
+  default is leftsendcert=always, since CERTREQ payloads are not supported
+  yet. Optional CRLs must be imported locally into /etc/ipsec.d/crls.
 
 - Added support for leftprotoport/rightprotoport parameters in IKEv2. IKEv2 
   would offer more possibilities for traffic selection, but the Linux kernel
   currently does not support it. That's why we stick with these simple 
   ipsec.conf rules for now.
 
+- Added Dead Peer Detection (DPD) which checks liveliness of remote peer if no
+  IKE or ESP traffic is received. DPD is currently hardcoded (dpdaction=clear,
+  dpddelay=60s).
+
 - Initial NAT traversal support in IKEv2. Charon includes NAT detection
   notify payloads to detect NAT routers between the peers. It switches
   to port 4500, uses UDP encapsulated ESP packets, handles peer address