Marius Tomaschewski
84759843df
- Fixed an authentication bypass vulnerability triggered by rekeying an unestablished IKEv2 SA while it gets actively initiated. This allowed an attacker to trick a peer's IKE_SA state to established, without the need to provide any valid authentication credentials. (CVE-2014-2338, bnc#870572). - The acert plugin evaluates X.509 Attribute Certificates. Group membership information encoded as strings can be used to fulfill authorization checks defined with the rightgroups option. Attribute Certificates can be loaded locally or get exchanged in IKEv2 certificate payloads. - The pki command gained support to generate X.509 Attribute Certificates using the --acert subcommand, while the --print command supports the ac type. The openac utility has been removed in favor of the new pki functionality. - The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other protocols has been extended by AEAD mode support, currently limited to AES-GCM. - Fixed an issue where CRL/OCSP trustchain validation broke enforcing CA constraints - Limited OCSP signing to specific certificates to improve performance - authKeyIdentifier is not added to self-signed certificates anymore - Fixed the comparison of IKE configs if only the cipher suites were different OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=65
10 lines
428 B
Plaintext
10 lines
428 B
Plaintext
### Known warnings:
|
|
# - traditional name
|
|
addFilter("strongswan.* incoherent-init-script-name ipsec")
|
|
# - readme only, triggers full ipsec + ikev1&ikev2 install
|
|
addFilter("strongswan.* no-binary")
|
|
# - link to init script, covered by service(8)
|
|
addFilter("strongswan.* no-manual-page-for-binary rcipsec")
|
|
# - no, restating tunnels on update may break the update
|
|
addFilter("strongswan.*restart_on_update-postun /etc/init.d/ipsec")
|