We are happy to announce the release of strongSwan 5.9.1, which supports TPM 2.0 BIOS/EFI measurements and brings several other new features and fixes.
Support for TPM 2.0 BIOS/EFI Measurements
Remote attestation via TNC supports the SHA-256 based TPM 2.0 BIOS/EFI measurements introduced with the Linux 5.4 kernel. This includes support for the BIOS/EFI event log and variable sized PCR banks. The tpm plugin also supports SHA-3 and CMAC with TPM 2.0.
Other Notable Features and Fixes
- The file and syslog loggers support logging the log level of each message after the subsystem (e.g.
- A new global strongswan.conf option allows sending the Cisco FlexVPN vendor ID to prevent Cisco devices from narrowing a 0.0.0.0/0 traffic selectors.
- Improved support for EdDSA keys in vici/swanctl, in particular, encrypted keys are now supported.
- The openssl plugin accepts CRLs issued by non-CA certificates if they contain the cRLSign keyUsage flag.
- All remaining queued vici messages are now sent to subscribed clients during shutdown.
- Nonces in OCSP responses are not enforced anymore and only validated if a nonce is actually contained.
- Fixed an issue when only some fragments of a retransmitted IKEv2 message were received, which prevented processing a following fragmented message.
- CHILD_SA IP addresses are updated before installation of the IPsec SAs and policies to allow MOBIKE updates while retransmitting a CREATE_CHILD_SA request.
- When looking for a route to the peer, the kernel-netlink plugin now ignores the current source address if it's deprecated.
- charon-nm is now properly terminated during system shutdown.