Return to 68.html CVS log | Up to [local] / www |
version 1.51, 2020/10/07 13:33:52 | version 1.52, 2020/10/07 19:50:02 | ||
---|---|---|---|
|
|
||
<li><a href="https://man.openbsd.org/ipsec">ipsec(4)</a> (and related userland programs) improvements and | <li><a href="https://man.openbsd.org/ipsec">ipsec(4)</a> (and related userland programs) improvements and | ||
bugfixes: | bugfixes: | ||
<ul> | <ul> | ||
<li>Fixed an <a href="https://man.openbsd.org/iked">iked(8)</a> policy lookup edge case for simultaneous transport and tunnel mode SAs. | |||
<li>Added AES-GCM mode ciphers for IKEv2, configurable in <a href="https://man.openbsd.org/iked.conf">iked.conf(5)</a> with the new "ikesa enc" options aes-128-gcm, aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12. | <li>Added AES-GCM mode ciphers for IKEv2, configurable in <a href="https://man.openbsd.org/iked.conf">iked.conf(5)</a> with the new "ikesa enc" options aes-128-gcm, aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12. | ||
<li>Added AES-GCM ciphers to the default proposals for IKE and Child SAs resulting in considerable performance improvements with hardware acceleration support. | <li>Enabled AES-GCM ciphers by default for IKE and Child SAs resulting in considerable performance improvements with hardware acceleration support. | ||
<li>Fixed <a href="https://man.openbsd.org/iked">iked(8)</a> public key authentication interoperability with *swan and other IKEv2 implementations by making CERT and CERTREQ payloads optional. | <li>Enabled SHA2_384 and SHA2_512 by default for improved compatibilty. | ||
<li>Prioritized incoming certificate requests by the order of CERTEQ payloads in the received message in <a href="https://man.openbsd.org/iked">iked(8)</a>. | |||
<li>Added optional <a href="https://man.openbsd.org/iked">iked(8)</a> time-stamp validation for OCSP. | |||
<li>Prevented concurrent CREATE_CHILD_SA and INFORMATION exchanges in <a href="https://man.openbsd.org/iked">iked(8)</a>. | |||
<li>Added the new <a href="https://man.openbsd.org/iked">iked(8)</a> configuration option "set enforcesingleikesa" to limit the number of connections for each peer. | <li>Added the new <a href="https://man.openbsd.org/iked">iked(8)</a> configuration option "set enforcesingleikesa" to limit the number of connections for each peer. | ||
<li>Added a dpd_check_interval configuration option to <a href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>. | <li>Added optional <a href="https://man.openbsd.org/iked">iked(8)</a> time-stamp validation for OCSP. | ||
<li>Allowed disabling of <a href="https://man.openbsd.org/iked">iked(8)</a> DPD liveness checks by setting dpd_check_interval to 0 in <a href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>. | |||
<li>Added a 30 second timeout for OCSP requests in <a href="https://man.openbsd.org/iked">iked(8)</a>. | <li>Added a 30 second timeout for OCSP requests in <a href="https://man.openbsd.org/iked">iked(8)</a>. | ||
<li>Added a new "set cert_partial_chain" config option to <a href="https://man.openbsd.org/iked.conf">iked.conf(5)</a> to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca. | <li>Added a new "set cert_partial_chain" config option to <a href="https://man.openbsd.org/iked.conf">iked.conf(5)</a> to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca. | ||
<li>Added a dpd_check_interval configuration option to <a href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>. | |||
<li>Allowed disabling of <a href="https://man.openbsd.org/iked">iked(8)</a> DPD liveness checks by setting dpd_check_interval to 0 in <a href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>. | |||
<li>Made <a href="https://man.openbsd.org/iked">iked(8)</a> use the CA certificate for the OCSP issuer and respect the OCSP url from the issuer certificate. | |||
<li>Fixed <a href="https://man.openbsd.org/iked">iked(8)</a> public key authentication interoperability with *swan and other IKEv2 implementations by making CERT and CERTREQ payloads optional. | |||
<li>Fixed an <a href="https://man.openbsd.org/iked">iked(8)</a> policy lookup edge case for simultaneous transport and tunnel mode SAs. | |||
<li>Fixed a dst/src <a href="https://man.openbsd.org/iked">iked(8)</a> port configuration bug with multiple flows. | <li>Fixed a dst/src <a href="https://man.openbsd.org/iked">iked(8)</a> port configuration bug with multiple flows. | ||
<li>Prioritized incoming certificate requests by the order of CERTEQ payloads in the received message in <a href="https://man.openbsd.org/iked">iked(8)</a>. | |||
<li>Prevented concurrent CREATE_CHILD_SA and INFORMATION exchanges in <a href="https://man.openbsd.org/iked">iked(8)</a>. | |||
<li>Handled <a href="https://man.openbsd.org/iked">iked(8)</a> TEMPORARY_FAILURE notification on IKESA rekeying. | <li>Handled <a href="https://man.openbsd.org/iked">iked(8)</a> TEMPORARY_FAILURE notification on IKESA rekeying. | ||
<li>Fixed multiple bugs with pfkey acquire messages. | |||
</ul> | </ul> | ||
<li><a href="https://man.openbsd.org/tmux">tmux(1)</a> improvements and bug fixes: | <li><a href="https://man.openbsd.org/tmux">tmux(1)</a> improvements and bug fixes: |