strongSwan 5.9.9
- Fixed an issue that could cause OCSP requests to contain an incorrect serial number if the openssl plugin parsed the certificate (#1415). Also see below for changes regarding the unified handling of serial numbers in code.
- The path/command for
resolvconf(8)
used by the resolve plugin is now configurable (dee1916). - The resolve plugin does not invoke
resolvconf(8)
with individual interface names for each name server anymore. Instead, it uses a single, configurable interface/protocol name and provides all available name servers toresolvconf(8)
every time a name server is added or removed (#1353). - The
listen()
operation in the VICI Python bindings may now optionally time out, which can be useful when listening for events in a separate thread as that can otherwise not be canceled easily (#1416). Support for Python 2 has been dropped. - The first reqid that's automatically assigned to a CHILD_SA is now configurable via
charon.reqid_base
in strongswan.conf. This allows reserving some low reqids for manual allocation. - Default values for soft lifetimes of CHILD_SAs configured via swanctl.conf/VICI are now based on hard lifetimes if any are configured. Previously, it only worked the other way around (#1414).
- The kernel-netlink plugin now logs extended ACK error and warning messages provided by the Linux kernel if e.g. the installation of an SA or policy fails. This should give users a clearer indication of what might be wrong than the generic error messages for error codes like
EINVAL
orENOSYS
did previously. - Several build conflicts with wolfSSL's OpenSSL compatibility layer have been resolved (#1332).
- For developers:
- The
get_serial()
method of thex509_t
,crl_t
, andac_t
interfaces is now expected to return serial numbers in canonical form (i.e. without leading zeros). The existing plugins that implement or use these interfaces have been adapted accordingly, make sure to do the same with custom plugins/patches. - If linked against
libbfd
(--enable-bfd-backtraces
), our own leak detective can whitelist functions that are otherwise not visible.
- The
Refer to the 5.9.9 milestone for a list of all closed issues and pull requests.