forked from pool/strongswan
Marius Tomaschewski
84759843df
- Fixed an authentication bypass vulnerability triggered by rekeying
an unestablished IKEv2 SA while it gets actively initiated. This
allowed an attacker to trick a peer's IKE_SA state to established,
without the need to provide any valid authentication credentials.
(CVE-2014-2338, bnc#870572).
- The acert plugin evaluates X.509 Attribute Certificates. Group
membership information encoded as strings can be used to fulfill
authorization checks defined with the rightgroups option.
Attribute Certificates can be loaded locally or get exchanged in
IKEv2 certificate payloads.
- The pki command gained support to generate X.509 Attribute
Certificates using the --acert subcommand, while the --print
command supports the ac type. The openac utility has been removed
in favor of the new pki functionality.
- The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other
protocols has been extended by AEAD mode support, currently limited
to AES-GCM.
- Fixed an issue where CRL/OCSP trustchain validation broke enforcing
CA constraints
- Limited OCSP signing to specific certificates to improve performance
- authKeyIdentifier is not added to self-signed certificates anymore
- Fixed the comparison of IKE configs if only the cipher suites were
different
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=65
|
||
|---|---|---|
| .gitattributes | ||
| .gitignore | ||
| README.SUSE | ||
| strongswan_ipsec_service.patch | ||
| strongswan_modprobe_syslog.patch | ||
| strongswan-5.1.3-rpmlintrc | ||
| strongswan-5.1.3.tar.bz2 | ||
| strongswan-5.1.3.tar.bz2.sig | ||
| strongswan.changes | ||
| strongswan.init.in | ||
| strongswan.keyring | ||
| strongswan.spec | ||
Dear Customer, please note, that the strongswan release 4.5 changes the keyexchange mode to IKEv2 as default -- from strongswan-4.5.0/NEWS: "[...] IMPORTANT: the default keyexchange mode 'ike' is changing with release 4.5 from 'ikev1' to 'ikev2', thus commemorating the five year anniversary of the IKEv2 RFC 4306 and its mature successor RFC 5996. The time has definitively come for IKEv1 to go into retirement and to cede its place to the much more robust, powerful and versatile IKEv2 protocol! [...]" This requires adoption of either the "conn %default" or all other IKEv1 "conn" sections in the /etc/ipsec.conf to use explicit: keyexchange=ikev1 The strongswan package does no provide any files any more, but triggers the installation of both, IKEv1 (pluto) and IKEv2 (charon) daemons and the traditional starter scripts inclusive of the /etc/init.d/ipsec init script and /etc/ipsec.conf file. There is a new strongswan-nm package with a NetworkManager plugin to control the charon IKEv2 daemon through D-Bus, designed to work using the NetworkManager-strongswan graphical user interface. It does not depend on the traditional starter scripts, but on the IKEv2 charon daemon and plugins only. Have a lot of fun...