[Announce] ANNOUNCE: strongswan-4.4.1 released
Andreas Steffen
andreas.steffen at strongswan.org
Mon Aug 2 16:14:51 CEST 2010
Hi,
we are happy to announce the strongSwan 4.4.1 release which
offers a couple of new features and fixes a major potential
vulnerability that was introduced with strongSwan 4.3.3:
- Support of XFRM marks
---------------------
The Linux 2.6.34 kernel introduced XFRM marks in IPsec SAs and
IPsec policies introduced. We discovered two bugs, though, which
are fixed by the following kernel patch
http://download.strongswan.org/uml/xfrm_mark.patch.bz2
This patch will be integrated into the forthcoming 2.6.35 kernel.
XFRM marks can be used e.g. to differentiate between traffic coming
from identical subnets hidden behind multiple roadwarriors using the
Linux Netfilter mangle and nat chains. Details can be found in
the following example scenarios:
http://www.strongswan.org/uml/testresults44/ikev2/nat-two-rw-mark/
http://www.strongswan.org/uml/testresults44/ikev2/rw-mark-in-out/
Another exotic case involves identical subnets behind the two peers
of an IPsec connection where the MARK and NETMAP Netfilter targets
are used to map the identical subnets to unique networks as shown
in the following example:
http://www.strongswan.org/uml/testresults44/ikev2/net2net-same-nets/
This example does all the Netfilter operations in a special updown
script
http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown;h=d7b68956cbf7e59e2dd740381defdf3c1f655ac5;hb=HEAD
As you can see the new environment variables PLUTO_MARK_IN,
PLUTO_MARK_OUT and PLUTO_ESP_ENC are available in the updown scripts.
Inbound and outbound marks are set by the new mark_in=, mark_out=, and
mark= (same mark for inbound and outbound direction) ipsec.conf
parameters.
- openssl plugin supports X.509 certificate and CRL functions
-----------------------------------------------------------
Thus for X.509 trust chain verification and CRL lookup the x509
plugin is not required any more if the openssl plugin is loaded
instead. The use of the Online Certificate Status Protocol (OCSP)
still requires the x509 plugin, though. X.509 attribute certificate
handling rely on the x509 plugin as well.
- CRL and/or OCSP checking in IKEv2 moved to revocation plugin
------------------------------------------------------------
The revocation plugin is built and loaded by default. Please
update any explicit load directives in strongswan.conf.
- RFC3779 ipAddrBlock constraint checking moved to addrblock plugin
-----------------------------------------------------------------
This rather exotic feature is disabled by default and is enabled
by the --enable-addrblock configure option. Please update any
explicit load directives in strongswan.conf.
- Issue warning if explicit load lists are used
---------------------------------------------
Since the number of pluto and charon plugins are increasing
steadily with each release and explicit load lists might become
obsoleted, a warning is now issued by ipsec starter if explicit
load lists are found in strongswan.conf since we don't recommend
their use for inexperienced users. Experts please read the
following wiki entry:
http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
- Extension of the ipsec pki utility
----------------------------------
ipsec pki --signcrl allows the generation and update of CRLs.
For details see the following wiki entry:
http://wiki.strongswan.org/projects/strongswan
The ipsec pki --self, --issue and --req commands now support output
in PEM format using the --outform pem option.
- Support of arbitrary IKEv1 Mode Config attributes
-------------------------------------------------
A major refactoring of the IKEv1 Mode Config source code now
allows the transport and handling of any Mode Config attribute.
The ipsec pool tool manages arbitrary configuration attributes
stored in an SQL database. ipsec pool --help gives the details.
- Multiple RADIUS servers supported by eap-radius plugin
------------------------------------------------------
- The RADIUS proxy plugin eap-radius now supports multiple servers.
Configured servers are chosen randomly, with the option to prefer
a specific server. Non-responding servers are automatically assigned
lower priorities by the selection process. Configuration details
can be found under
http://wiki.strongswan.org/projects/strongswan/wiki/EapRadius
- eap-simaka-sql plugin
---------------------
The new eap-simaka-sql acts as a backend for EAP-SIM and EAP-AKA,
reading triplets/quintuplets from an SQL database.
- High Availability (HA) extensions
---------------------------------
The High Availability plugin now supports a HA enabled in-memory
address pool and Node re-integration without IKE_SA rekeying.
The latter feature allows clients without IKE_SA rekeying support
to keep connected during re-integration. Additionally many other
issues have been fixed in the ha plugin.
- snprintf vulnerability
----------------------
A potential remote code execution vulnerability resulting from
the misuse of snprintf() was fixed. The vulnerability was
introduced with the strongswan-4.3.3 release and is exploitable
by unauthenticated users. Patches for all releases starting with
4.3.3 are available under the following link:
http://download.strongswan.org/patches/08_snprintf_patch/
Also a new 4.3.7 release has been made available for 4.3.x users
http://www.strongswan.org/old.htm
Best regards from the strongSwan team
Andreas Steffen, Tobias Brunner & Martin Willi
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Announce
mailing list