[Announce] ANNOUNCE: strongswan-4.5.1 released

Andreas Steffen andreas.steffen at strongswan.org
Sat Feb 12 13:09:06 CET 2011


Hello,

we are proud to release strongSwan 4.5.1 which comes with
a lot of new features:

Trusted Network Connect (TNC)
-----------------------------

- Sansar Choinyambuu implemented the RFC 5793 Posture Broker Protocol
  (PB) compatible with Trusted Network Connect (TNC). The TNCCS 2.0
  protocol requires the tnccs_20, tnc_imc and tnc_imv plugins but does
  not depend on the libtnc library. Any available IMV/IMC pairs
  conforming to the Trusted Computing Group's TNC-IF-IMV/IMC 1.2
  interface specification can be loaded via /etc/tnc_config.

  http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc-20/

- Re-implemented the TNCCS 1.1 protocol by using the tnc_imc and tnc_imv
  plugins in place of the external libtnc library.

  http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc-11-radius/

- The tnccs_dynamic plugin loaded on a TNC server in addition to the
  tnccs_11 and tnccs_20 plugins, dynamically detects the IF-TNCCS
  protocol version used by a TNC client and invokes an instance of
  the corresponding protocol stack.

  http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc-dynamic/

SQL Configuration Backend Extensions
------------------------------------

- IKE and ESP proposals can now be stored in an SQL database using a
  new proposals table. The start_action field in the child_configs
  tables allows the automatic starting or routing of connections stored
  in an SQL database.

  http://www.strongswan.org/uml/testresults/sql/net2net-start-pem/

  http://www.strongswan.org/uml/testresults/sql/net2net-route-pem/

- The new certificate_authorities and certificate_distribution_points
  tables make it possible to store CRL and OCSP Certificate Distribution
  points in an SQL database.

  http://www.strongswan.org/uml/testresults/sql/multi-level-ca/

Include statements in strongswan.conf
-------------------------------------

- The new 'include' statement allows to recursively include other files
  in strongswan.conf. Existing sections and values are thereby extended
  and replaced, respectively.

- Due to the changes in the parser for strongswan.conf, the
  configuration syntax for the attr plugin has changed.  Previously, it
  was possible to specify multiple values of a specific attribute type
  by adding multiple key/value pairs with the same key (e.g. dns) to
  the plugins.attr section. Because values with the same key now
  replace previously defined values this is not possible anymore. As an
  alternative, multiple values can be specified by separating them with
  a comma (e.g. dns = 1.2.3.4, 2.3.4.5).

Traffic Flow Confidentiality
----------------------------

- Traffic Flow Confidentiality padding supported with Linux 2.6.38 can
  be used by the IKEv2 daemon. The ipsec.conf 'tfc' keyword pads all
  packets to a given boundary, the special value '%mtu' pads all
  packets to the path MTU.

Use of Linux Crypto API for IKE and other Userland Applications
---------------------------------------------------------------

- The new af-alg plugin can use various crypto primitives of the Linux
  Crypto API using the AF_ALG interface introduced with 2.6.38. This
  removes the need for additional userland implementations of symmetric
  cipher, hash, hmac and xcbc algorithms.

INITIAL_CONTACT Notification
----------------------------

- The IKEv2 daemon supports the INITIAL_CONTACT notify as initiator and
  responder. The notify is sent when initiating configurations with a
  unique policy, set in ipsec.conf via the global 'uniqueids' option.

Conftest IKEv2 Conformance Testing Framework
--------------------------------------------

- The conftest conformance testing framework enables the IKEv2 stack to
  performmany tests using a distinct tool and configuration frontend.
  Various hooks can alter reserved bits, flags, add custom notifies and
  proposals, reorder or drop messages and much more. It is enabled
  using the --enable-conftest ./configure switch.

X.509 Certificate Constraints
-----------------------------

- The new libstrongswan constraints plugin provides advanced X.509
  constraint checking. In additon to X.509 pathLen constraints, the
  plugin checks for nameConstraints and certificatePolicies, including
  policyMappings and policyConstraints. The x509 certificate plugin and
  the pki tool have been enhanced to support these extensions. The new
  left/rightcertpolicy ipsec.conf connection keywords take OIDs a peer
  certificate must have.

- The left/rightauth ipsec.conf keywords accept values with a minimum
  strength for trustchain public keys in bits, such as rsa-2048 or
  ecdsa-256.

Support for Delta CRLs
----------------------

- The revocation and x509 libstrongswan plugins and the pki tool gained
  basic support for delta CRLs.

Enjoy the new release and report any problems you may encounter!

Best regards

Tobias Brunner, Martin Willi & Andreas Steffen

The strongSwan Team

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==



More information about the Announce mailing list