- Update to release 5.9.11
* A long-standing deadlock in the vici plugin has been fixed that
could get triggered when multiple connections were
initiated/terminated concurrently and control-log events were
raised by the watcher_t component (#566).
* In compliance with RFC 5280, CRLs now have to be signed by a
certificate that either encodes the cRLSign keyUsage bit
(even if it is a CA certificate), or is a CA certificate without
a keyUsage extension. strongSwan encodes a keyUsage extension
with cRLSign bit set in all CA certificates since 13 years. And
before that it didn't encode the extension, so these certificates
would also be accepted as CRL issuer in case they are still valid
(7dc82de).
* Support for optional CA labels in EST server URIs
(e.g. https://www.example.org/.well-known/est/arbitraryLabel1/<operation>)
was added to the pki --est and pki --estca commands (#1614).
* The pkcs7 and openssl plugins now support CMS-style signatures in
PKCS#7 containers, which allows verifying RSA-PSS and ECDSA
signatures (#1615).
* Fixed a regression in the server implementation of EAP-TLS when
using TLS 1.2 or earlier that was introduced with 5.9.10
(#1613, 3d0d3f5).
* The EAP-TLS client does now enforce that the TLS handshake is
complete when using TLS 1.2 or earlier. It was possible to
shortcut it by sending an early EAP-Success message. Note that
this isn't a security issue as the server is authenticated at
that point (db87087).
* On Linux, the kernel-libipsec plugin can now optionally handle
ESP packets without UDP encapsulation (uses RAW sockets, disabled
by default, e3cb756). The plugin and libipsec also gained support
OBS-URL: https://build.opensuse.org/request/show/1092621
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=149