Skip to content

strongSwan 5.9.9

Compare
Choose a tag to compare
@tobiasbrunner tobiasbrunner released this 03 Jan 12:47
· 713 commits to master since this release
  • Fixed an issue that could cause OCSP requests to contain an incorrect serial number if the openssl plugin parsed the certificate (#1415). Also see below for changes regarding the unified handling of serial numbers in code.
  • The path/command for resolvconf(8) used by the resolve plugin is now configurable (dee1916).
  • The resolve plugin does not invoke resolvconf(8) with individual interface names for each name server anymore. Instead, it uses a single, configurable interface/protocol name and provides all available name servers to resolvconf(8) every time a name server is added or removed (#1353).
  • The listen() operation in the VICI Python bindings may now optionally time out, which can be useful when listening for events in a separate thread as that can otherwise not be canceled easily (#1416). Support for Python 2 has been dropped.
  • The first reqid that's automatically assigned to a CHILD_SA is now configurable via charon.reqid_base in strongswan.conf. This allows reserving some low reqids for manual allocation.
  • Default values for soft lifetimes of CHILD_SAs configured via swanctl.conf/VICI are now based on hard lifetimes if any are configured. Previously, it only worked the other way around (#1414).
  • The kernel-netlink plugin now logs extended ACK error and warning messages provided by the Linux kernel if e.g. the installation of an SA or policy fails. This should give users a clearer indication of what might be wrong than the generic error messages for error codes like EINVAL or ENOSYS did previously.
  • Several build conflicts with wolfSSL's OpenSSL compatibility layer have been resolved (#1332).
  • For developers:
    • The get_serial() method of the x509_t, crl_t, and ac_t interfaces is now expected to return serial numbers in canonical form (i.e. without leading zeros). The existing plugins that implement or use these interfaces have been adapted accordingly, make sure to do the same with custom plugins/patches.
    • If linked against libbfd (--enable-bfd-backtraces), our own leak detective can whitelist functions that are otherwise not visible.

Refer to the 5.9.9 milestone for a list of all closed issues and pull requests.