Release and vulnerability announcements for strongSwan

strongSwan 5.6.1 Released

We are happy to announce the release of strongSwan 5.6.1 which removes deprecated algorithms from default proposals, supports RSASSA-PSS signatures, and brings several other new features and fixes.

Removal of Deprecated Algorithms

In compliance with RFC 8221 and RFC 8247 several algorithms were removed from the default ESP/AH and IKEv2 proposals, respectively. Removed from the default ESP/AH proposal were the 3DES and Blowfish encryption algorithms and the HMAC-MD5 integrity algorithm. From the IKEv2 default proposal (also the IKEv1 default proposal) the HMAC-MD5 integrity algorithm and the MODP-1024 Diffie-Hellman group were removed (the latter is significant for Windows clients in their default configuration).
These algorithms may still be used in custom proposals.

Support for RSASSA-PSS Signatures

Support for RSASSA-PSS signatures has been added. For compatibility with previous releases they are currently not used automatically, by default, to change that charon.rsa_pss may be enabled. To explicitly use or require such signatures during IKEv2 signature authentication (RFC 7427) ike:rsa/pss... authentication constraints may be used for specific connections (regardless of whether the strongswan.conf option above is enabled). Only the hash algorithm can be specified in such constraints, the MGF1 will be based on that hash and the salt length will equal the hash length (when verifying the salt length is not enforced). To enforce such signatures during PKI verification rsa/pss... authentication constraints may be used.

All pki commands that create certificates/CRLs can be made to sign with RSASSA-PSS instead of the classing PKCS#1 scheme with the --rsa-padding pss option. As with signatures during authentication, only the hash algorithm is configurable (via --digest option), the MGF1 will be based on that and the salt length will equal the hash length.

These signatures are supported by all RSA backends except pkcs11 (i.e. gmp, gcrypt, openssl). The gmp plugin requires the mgf1 plugin (enabled by default if gmp is enabled).

Note that RSASSA-PSS algorithm identifiers and parameters in keys (public keys in certificates or private keys in PKCS#8 files) are currently not used as constraints.

sec-updater Tool

The sec-updater tool checks for security updates in dpkg-based repositories (e.g. Debian/Ubuntu) and sets the security flags in the IMV policy database accordingly. Additionally for each new package version a SWID tag for the given OS and HW architecture is created and stored in the database. Using the script template the lookup can be automated (e.g. via an hourly cron job).

IKE Event Counters via VICI

The IKE event counters, previously only available via ipsec listcounters command, may now also be queried and reset via vici and the new swanctl --counters command. They are collected and provided by the optional counters plugin (enabled by default for backwards compatibility if the stroke plugin is built).

Initiator SPI Reset for Restarted IKE SAs

When restarting an IKEv2 negotiation after receiving an INVALID_KE_PAYLOAD notify (or due to other reasons like too many retransmits) a new initiator SPI is allocated. This prevents issues caused by retransmits for IKE_SA_INIT messages.

Other Notable Features and Fixes

Download Complete Changelog