StrongSwan 5.1.3 发布,Linux 的 IPsec 项目

发布于 2014年04月19日
收藏 5

StrongSwan是一个完整的2.4和2.6的Linux内核下的IPsec和IKEv1  的实现。它也完全支持新的IKEv2协议的Linux 2.6内核。结合IKEv1和IKEv2模式与大多数其他基于IPSec的VPN产品。并且支持Radius.重点项目是strongSwan强认证机 制,使用X.509公开密钥证书和可选的安全储存私钥对智能卡通过一个标准化的PKCS #     11接口。一个特点是使用的X.509属性证书实现了先进的访问控制方案的基础上组的成员。

StrongSWAN 5.1.3发布。2014-04-15。这是一个Ipsec和IKE的实现,常用来做Linux的Ipsec VPN.并且支持Radius.它和OpenSWAN是以前已经停止开发的FreeSWAN的后续版本。之前版本是2014-02-28的5.1.2.


Version 5.1.3

  • Fixed an authentication bypass vulnerability triggered by rekeying an
    unestablished IKE_SA while it gets actively initiated. This allowed an
    attacker to trick a peer's IKE_SA state to established, without the need to
    provide any valid authentication credentials.  The vulnerability has been
    registered as CVE-2014-2338.
    Refer to our blog for details.

  • The acert plugin evaluates X.509 Attribute Certificates. Group membership
    information encoded as strings can be used to fulfill authorization checks
    defined with the rightgroups ipsec.conf option. Attribute Certificates can be
    loaded locally or get exchanged in IKEv2 certificate payloads.

  • The pki command gained support to generate X.509 Attribute Certificates
    using the --acert subcommand, while the --print command supports the ac type.
    The openac utility has been removed in favor of the new pki functionality.

  • The libtls TLS 1.2 implementation as used by EAP-(T)TLS and other protocols
    has been extended by AEAD mode support, currently limited to AES-GCM.

  • Fixed an issue where CRL/OCSP trustchain validation broke enforcing CA constraints (a844b6589034).

  • Limited OCSP signing to specific certificates to improve performance (91d71abb16a9).

  • authKeyIdentifier is not added to self-signed certificates anymore (f7d04ba6c462).

  • Fixed the comparison of IKE configs if only the cipher suites were different (23f34f6ed504).


转载请注明:文章转载自 开源中国社区 []
本文标题:StrongSwan 5.1.3 发布,Linux 的 IPsec 项目