[Announce] ANNOUNCE: strongswan-4.3.3 released

Andreas Steffen andreas.steffen at strongswan.org
Thu Jul 23 14:28:15 CEST 2009


Hi,

strongswan-4.3.3 is out and offers two new features:

Optional Integrity Checksum Tests
---------------------------------

The configuration option --enable-integrity-test plus the
strongswan.conf option libstrongswan.integrity_test=yes activate
integrity tests of the IKE daemons charon and pluto, libstrongswan
and all loaded plugins. Thus dynamic library misconfigurations and
non-malicious file manipulations can be reliably detected.  More
details can be found under the following wiki link:

 http://wiki.strongswan.org/wiki/strongswan/IntegrityTest

All our rw-cert UML test scenarios are run with enabled integrity
and crypto tests, e.g.

http://www.strongswan.org/uml/testresults43/ikev1/rw-cert/moon.auth.log

http://www.strongswan.org/uml/testresults43/ikev2/rw-cert/moon.daemon.log


IKEv1 Suite B Interoperability with MS Windows
----------------------------------------------

The new default setting libstrongswan.ecp_x_coordinate_only=yes allows
IKEv1 interoperability with MS Windows using the ECP DH groups 19 and
20. Additionally the IKEv1 pluto daemon now supports the AES-CCM and
AES-GCM ESP authenticated encryption algorithms. Together with ECDSA
signatures the strongSwan IKEv1 functionality is now compliant with
Suite B defined by RFC 4869.

  http://tools.ietf.org/html/rfc4869

Still missing is AES-GMAC support by the Linux kernel (the crypto code
is there somewhere but the XFRM interface isn't [yet]). Anyway, using
ECP DH groups, ECDSA certificates and AES-GCM ESP authenticated
encryption we did a couple of successful interoperability tests with
the IPsec functionality of the Windows 7/Vista/Server 2008 Advanced
Firewall:

 http://wiki.strongswan.org/wiki/strongswan/WindowsSuiteB


Security Update
---------------

The RDN parser vulnerability discovered by Orange Labs research team
two months ago was not completely fixed by version 4.3.2. Some more
modifications had to be applied to the asn1_length() function to make
it robust. Patches for older versions are available under the link

  http://download.strongswan.org/patches/07_asn1_length_patch/

Best regards

Andreas Steffen              Martin Willi
strongSwan Project Leader    IKEv2 Software Architect

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==


More information about the Announce mailing list