Accepting request 33800 from network:vpn

Copy from network:vpn/strongswan based on submit request 33800 from user mtomaschewski

OBS-URL: https://build.opensuse.org/request/show/33800
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/strongswan?expand=0&rev=19

strongswan.changes

@@ -1,3 +1,103 @@
+-------------------------------------------------------------------
+Tue Mar  2 21:42:10 CET 2010 - mt@suse.de
+
+- Updated to strongSwan 4.3.6 release, changes since 4.3.4 are:
+  * The IKEv2 daemon supports RFC 3779 IP address block constraints
+  carried as a critical X.509v3 extension in the peer certificate.
+  * The ipsec pool --add|del dns|nbns command manages DNS and NBNS
+  name server entries that are sent via the IKEv1 Mode Config or
+  IKEv2 Configuration Payload to remote clients.
+  * The Camellia cipher can be used as an IKEv1 encryption algorithm.
+  * The IKEv1 and IKEV2 daemons now check certificate path length
+  constraints.
+  * The new ipsec.conf conn option "inactivity" closes a CHILD_SA if
+  no traffic was sent or received within the given interval. To close
+  the complete IKE_SA if its only CHILD_SA was inactive, set the
+  global strongswan.conf option "charon.inactivity_close_ike" to yes.
+  * More detailed IKEv2 EAP payload information in debug output
+  * IKEv2 EAP-SIM and EAP-AKA share joint libsimaka library
+  * Added required userland changes for proper SHA256 and SHA384/512
+  in ESP that will be introduced with Linux 2.6.33.
+  The "sha256"/"sha2_256" keyword now configures the kernel with 128
+  bit truncation, not the non-standard 96 bit truncation used by
+  previous releases. To use the old 96 bit truncation scheme, the new
+  "sha256_96" proposal keyword has been introduced.
+  * Fixed IPComp in tunnel mode, stripping out the duplicated outer
+  header. This change makes IPcomp tunnel mode connections
+  incompatible with previous releases; disable compression on such
+  tunnels.
+  * Fixed BEET mode connections on recent kernels by installing SAs
+  with appropriate traffic selectors, based on a patch by Michael
+  Rossberg.
+  * Using extensions (such as BEET mode) and crypto algorithms (such
+  as twofish, serpent, sha256_96) allocated in the private use space
+  now require that we know its meaning, i.e. we are talking to
+  strongSwan. Use the new "charon.send_vendor_id" option in
+  strongswan.conf to let the remote peer know this is the case.
+  * Experimental support for draft-eronen-ipsec-ikev2-eap-auth, where
+  the responder omits public key authentication in favor of a mutual
+  authentication method. To enable EAP-only authentication, set
+  rightauth=eap on the responder to rely only on the MSK constructed
+  AUTH payload. This not-yet standardized extension requires the
+  strongSwan vendor ID introduced above.
+  * The IKEv1 daemon ignores the Juniper SRX notification type 40001,
+  thus allowing interoperability.
+  * The IKEv1 pluto daemon can now use SQL-based address pools to
+  deal out virtual IP addresses as a Mode Config server. The pool
+  capability has been migrated from charon's sql plugin to a new
+  attr-sql plugin which is loaded by libstrongswan and which can be
+  used by both daemons either with a SQLite or MySQL database and the
+  corresponding plugin.
+  * Plugin names have been streamlined: EAP plugins now have a dash
+  after eap (e.g. eap-sim), as it is used with the --enable-eap-sim
+  ./configure option.
+  Plugin configuration sections in strongswan.conf now use the same
+  name as the plugin itself (i.e. with a dash). Make sure to update
+  "load" directives and the affected plugin sections in existing
+  strongswan.conf files.
+  * The private/public key parsing and encoding has been split up
+  into separate pkcs1, pgp, pem and dnskey plugins. The public key
+  implementation plugins gmp, gcrypt and openssl can all make use
+  of them.
+  * The EAP-AKA plugin can use different backends for USIM/quintuplet
+  calculations, very similar to the EAP-SIM plugin. The existing 3GPP2
+  software implementation has been migrated to a separate plugin.
+  * The IKEv2 daemon charon gained basic PGP support. It can use
+  locally installed peer certificates and can issue signatures based
+  on RSA private keys.
+  * The new 'ipsec pki' tool provides a set of commands to maintain a
+  public key infrastructure. It currently supports operations to
+  create RSA and ECDSA private/public keys, calculate fingerprints and
+  issue or verify certificates.
+  * Charon uses a monotonic time source for statistics and job
+  queueing, behaving correctly if the system time changes (e.g. when
+  using NTP).
+  * In addition to time based rekeying, charon supports IPsec SA
+  lifetimes based on processed volume or number of packets.
+  They new ipsec.conf paramaters 'lifetime' (an alias to 'keylife'),
+  'lifebytes' and 'lifepackets' handle SA timeouts, while the
+  parameters 'margintime' (an alias to rekeymargin), 'marginbytes'
+  and 'marginpackets' trigger the rekeying before a SA expires.
+  The existing parameter 'rekeyfuzz' affects all margins.
+  * If no CA/Gateway certificate is specified in the NetworkManager
+  plugin, charon uses a set of trusted root certificates preinstalled
+  by distributions. The directory containing CA certificates can be
+  specified using the --with-nm-ca-dir=path configure option.
+  * Fixed the encoding of the Email relative distinguished name in
+  left|rightid statements.
+  * Fixed the broken parsing of PKCS#7 wrapped certificates by the
+  pluto daemon.
+  * Fixed smartcard-based authentication in the pluto daemon which
+  was broken by the ECDSA support introduced with the 4.3.2 release.
+  * A patch contributed by Heiko Hund fixes mixed IPv6 in IPv4 and
+  vice versa tunnels established with the IKEv1 pluto daemon.
+  * The pluto daemon now uses the libstrongswan x509 plugin for
+  certificates and CRls and the struct id type was replaced by
+  identification_t used by charon and the libstrongswan library.
+- Removed obsolete load_secrets patches, refreshed modprobe patch.
+- Corrected a time_t cast reported by rpmlint (timer.c:51)
+- Disabled libtoolize call and the gcrypt plugin on SLE 10.
+
 -------------------------------------------------------------------
 Fri Sep  4 12:56:59 CEST 2009 - mt@suse.de