zoukankan      html  css  js  c++  java
  • StrongSwan 5.1.1 发布,Linux 的 IPsec 项目

    StrongSwan是一个完整的2.4和2.6的Linux内核下的IPsec和IKEv1 的实现。它也完全支持新的IKEv2协议的Linux 2.6内核。结合IKEv1和IKEv2模式与大多数其他基于IPSec的VPN产品。并且支持Radius.重点项目是strongSwan强认证机 制,使用X.509公 开密钥证书和可选的安全储存私钥对智能卡通过一个标准化的PKCS # 11接口。一个特点是使用的X.509属性证书实现了先进的访问控制方案的基础上组的成员。

    StrongSWAN 5.1.1发布。2013-11-01。它和OpenSWAN是以前已经停止开发的FreeSWAN的后续版本。之前版本是 2013-08-01的5.1.0.

    完全改进:

    Version 5.1.1

    • Fixed a denial-of-service vulnerability and potential authorization bypass
      triggered by a craftedID_DER_ASN1_DNID payload. The cause is an insufficient
      length check when comparing such identities. The vulnerability has been
      registered as CVE-2013-6075.
      Refer to our blog for details.
    • Fixed a denial-of-service vulnerability triggered by a crafted IKEv1
      fragmentation payload. The cause is a NULL pointer dereference. The
      vulnerability has been registered as CVE-2013-6076.
      Refer to our blog for details.
    • The lean stand-alone pt-tls-client can set up a RFC 6876 PT-TLS session
      with a strongSwan policy enforcement point which uses the tnc-pdp charon
      plugin.
    • The new TCG TNC SWID IMC/IMV pair supports targeted SWID requests for either
      full SWID Tag or concise SWID Tag ID inventories.
    • The XAuth backend in eap-radius now supports multiple XAuth exchanges for
      different credential types and display messages. All user input gets
      concatenated and verified with a single User-Password RADIUS attribute on
      the AAA. With an AAA supporting it, one for example can implement
      Password+Token authentication with proper dialogs on iOS and OS X clients.
    • charon supports IKEv1 Mode Config exchange in push mode. The ipsec.conf
      modeconfig=push option enables it for both client and server, the same way
      as pluto used it.
    • Using the ah ipsec.conf keyword on both IKEv1 and IKEv2 connections,
      charon can negotiate and install Security Associations integrity-protected by
      the Authentication Header protocol. Supported are plainAHSAs only,
      but not the deprecated RFC 2401 style ESP+AH bundles.
    • The generation of initialization vectors for IKE and ESP (when using libipsec)
      is now modularized and IVs for e.g. AES-GCM are now correctly allocated
      sequentially, while other algorithms like AES-CBC still use random IVs.
    • The left and right options in ipsec.conf can take multiple address ranges
      and subnets. This allows connection matching against a larger set of
      addresses, for example to use a different connection for clients connecting
      from an internal network.
    • For all those who have a queasy feeling about the NIST elliptic curve set,
      the Brainpool curves introduced for use with IKE by RFC 6932 might be a
      more trustworthy alternative.
    • The kernel-libipsec userland IPsec backend now supports usage statistics,
      volume based rekeying and accepts ESPv3 style TFC padded packets.
    • libipsec now properly calculates padding length especially for AES-GCM.
    • load-tester supports transport mode connections and more complex traffic
      selectors, including such using unique ports for each tunnel.
    • The new dnscert plugin provides support for authentication via CERT RRs that
      are protected via DNSSEC. The plugin was created by Ruslan N. Marchenko.
    • The eap-radius plugin supports forwarding of several Cisco Unity specific
      RADIUS attributes in corresponding configuration payloads.
    • The ipsec pki utility and its subcommands all received man pages.
      The command itself is now installed in $prefix/bin by default. So the ipsec
      prefix is now optional.
    • pki --pub is able to convert public keys to other formats (e.g. DNSKEY or SSH).
    • Database transactions are now abstracted and implemented by the two backends.
      If you use MySQL make sure all tables use the InnoDB engine.
    • libstrongswan now can provide an experimental custom implementation of the
      printf family functions based on klibc if neither Vstr nor glibc style printf
      hooks are available. This can avoid the Vstr dependency on some systems at
      the cost of slower and less complete printf functions.
    • Handling of ICMP[v6] has been improved. For instance, traffic selectors with
      specific ICMP message type and code can now be configured in ipsec.conf
      and are properly installed in the kernel.
    • IKEv1 reauthentication should be more stable with third-party peers (ee99f37e, d2e4dd75).
    • Fixes a regression in 5.1.0 that caused a segmentation fault when reestablishing
      CHILD_SAs due to closeaction=restart|hold (e42ab08a).
    • Fixes a regression in 5.1.0 that caused IP addresses on ignored, down or loopback
      interfaces to get ignored when searching for an address contained in the local traffic
      selector (d7ae0b254).
    • The calculation of the ESN bitmap length in the kernel-netlink plugin was fixed (e001cc2b).
    • When removing configs via stroke plugin (e.g. withipsec update/reload) matching
      peer configs are not removed anymore, if they are still used by other child configs (791fde16).
    • reqids of established CHILD_SAs are reused when routing connections via stroke plugin (32fef0c6).

    下载:http://download.strongswan.org/strongswan-5.1.1.tar.bz2

  • 相关阅读:
    团队开发冲刺日(十三)
    第十周总结
    团队开发冲刺日(十二)
    团队开发冲刺日(十一)
    团队开发冲刺日(十)
    团队开发冲刺日(九)
    团队开发冲刺日(八)
    团队开发冲刺日(七)
    团队开发冲刺日(六)
    课后作业1
  • 原文地址:https://www.cnblogs.com/shihao/p/3423053.html
Copyright © 2011-2022 走看看