Blog

Release and vulnerability announcements for strongSwan

strongSwan 5.9.11 Released

We are happy to announce the release of strongSwan 5.9.11, which fixes a deadlock in the vici plugin, changes requirements for CRL signers, supports optional CA labels in EST server URIs, and comes with several other new features and fixes.

Deadlock in vici Plugin

A long-standing deadlock in the vici plugin has been fixed that could get triggered when multiple connections were initiated/terminated concurrently and control-log events were raised by the watcher_t component.

To potentially improve the performance and reduce the chances of a similar deadlock, the logging calls in the watcher_t component have been reduced and moved out of its internal mutex and a change that caused the component to busy wait in some situations has also been reverted.

Also related is a change that avoids verbose log calls during initiate/terminate() (if you're a developer, please see the notes in the linked changelog). 

CRL Signer Requirements Change

In compliance with RFC 5280, CRLs now have to be signed by a certificate that either encodes the cRLSign keyUsage bit (even if it is a CA certificate), or is a CA certificate without a keyUsage extension. strongSwan encodes a keyUsage extension with cRLSign bit set in all CA certificates since 13 years. And before that it didn't encode the extension, so these certificates would also be accepted as CRL issuer in case they are still valid.

Optional CA Labels in EST Server URIs

The pki --est and pki --estca commands gained support for optional CA labels in EST server URIs (e.g. https://www.example.org/.well-known/est/arbitraryLabel1/<operation>).

Other Notable Features and Fixes

  • Fixed a regression in the server implementation of EAP-TLS when using TLS 1.2 or earlier that was introduced with 5.9.10.
  • On Linux, the kernel-libipsec plugin can now optionally handle ESP packets without UDP encapsulation (uses RAW sockets, disabled by default). The plugin and libipsec also gained support trap policies.
  • The dhcp plugin uses an alternative method to determine the source address when sending unicast DHCP requests, which is not affected by interface filtering that might be employed for the IKE sockets.
  • The selection of certificates and trust chains as initiator has been improved if the local trust chain is incomplete (i.e. the root CA certificate for the local certificate is not loaded) while a certificate request for a known but unrelated CA is received, which caused any local intermediate CA certificates not to get sent.

Download Complete Changelog