X.509 certificate trust path verification
This commit is contained in:
parent
a9ae2c01ed
commit
623d3dcf78
11
NEWS
11
NEWS
|
@ -1,15 +1,20 @@
|
||||||
strongswan-4.0.2
|
strongswan-4.0.2
|
||||||
----------------
|
----------------
|
||||||
|
|
||||||
- Added Dead Peer Detection (DPD) which checks liveliness of remote peer if no
|
- Full X.509 certificate trust chain verification has been implemented.
|
||||||
IKE or ESP traffic is received. DPD is currently hardcoded (dpdaction=clear,
|
End entity certificates can be exchanged via CERT payloads. The current
|
||||||
dpddelay=60s).
|
default is leftsendcert=always, since CERTREQ payloads are not supported
|
||||||
|
yet. Optional CRLs must be imported locally into /etc/ipsec.d/crls.
|
||||||
|
|
||||||
- Added support for leftprotoport/rightprotoport parameters in IKEv2. IKEv2
|
- Added support for leftprotoport/rightprotoport parameters in IKEv2. IKEv2
|
||||||
would offer more possibilities for traffic selection, but the Linux kernel
|
would offer more possibilities for traffic selection, but the Linux kernel
|
||||||
currently does not support it. That's why we stick with these simple
|
currently does not support it. That's why we stick with these simple
|
||||||
ipsec.conf rules for now.
|
ipsec.conf rules for now.
|
||||||
|
|
||||||
|
- Added Dead Peer Detection (DPD) which checks liveliness of remote peer if no
|
||||||
|
IKE or ESP traffic is received. DPD is currently hardcoded (dpdaction=clear,
|
||||||
|
dpddelay=60s).
|
||||||
|
|
||||||
- Initial NAT traversal support in IKEv2. Charon includes NAT detection
|
- Initial NAT traversal support in IKEv2. Charon includes NAT detection
|
||||||
notify payloads to detect NAT routers between the peers. It switches
|
notify payloads to detect NAT routers between the peers. It switches
|
||||||
to port 4500, uses UDP encapsulated ESP packets, handles peer address
|
to port 4500, uses UDP encapsulated ESP packets, handles peer address
|
||||||
|
|
Loading…
Reference in New Issue