[Announce] ANNOUNCE: strongswan-4.3.3 released
Andreas Steffen
andreas.steffen at strongswan.org
Thu Jul 23 14:28:15 CEST 2009
Hi,
strongswan-4.3.3 is out and offers two new features:
Optional Integrity Checksum Tests
---------------------------------
The configuration option --enable-integrity-test plus the
strongswan.conf option libstrongswan.integrity_test=yes activate
integrity tests of the IKE daemons charon and pluto, libstrongswan
and all loaded plugins. Thus dynamic library misconfigurations and
non-malicious file manipulations can be reliably detected. More
details can be found under the following wiki link:
http://wiki.strongswan.org/wiki/strongswan/IntegrityTest
All our rw-cert UML test scenarios are run with enabled integrity
and crypto tests, e.g.
http://www.strongswan.org/uml/testresults43/ikev1/rw-cert/moon.auth.log
http://www.strongswan.org/uml/testresults43/ikev2/rw-cert/moon.daemon.log
IKEv1 Suite B Interoperability with MS Windows
----------------------------------------------
The new default setting libstrongswan.ecp_x_coordinate_only=yes allows
IKEv1 interoperability with MS Windows using the ECP DH groups 19 and
20. Additionally the IKEv1 pluto daemon now supports the AES-CCM and
AES-GCM ESP authenticated encryption algorithms. Together with ECDSA
signatures the strongSwan IKEv1 functionality is now compliant with
Suite B defined by RFC 4869.
http://tools.ietf.org/html/rfc4869
Still missing is AES-GMAC support by the Linux kernel (the crypto code
is there somewhere but the XFRM interface isn't [yet]). Anyway, using
ECP DH groups, ECDSA certificates and AES-GCM ESP authenticated
encryption we did a couple of successful interoperability tests with
the IPsec functionality of the Windows 7/Vista/Server 2008 Advanced
Firewall:
http://wiki.strongswan.org/wiki/strongswan/WindowsSuiteB
Security Update
---------------
The RDN parser vulnerability discovered by Orange Labs research team
two months ago was not completely fixed by version 4.3.2. Some more
modifications had to be applied to the asn1_length() function to make
it robust. Patches for older versions are available under the link
http://download.strongswan.org/patches/07_asn1_length_patch/
Best regards
Andreas Steffen Martin Willi
strongSwan Project Leader IKEv2 Software Architect
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Announce
mailing list