===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/68.html,v
retrieving revision 1.51
retrieving revision 1.52
diff -u -r1.51 -r1.52
--- www/68.html 2020/10/07 13:33:52 1.51
+++ www/68.html 2020/10/07 19:50:02 1.52
@@ -393,20 +393,23 @@
ipsec(4) (and related userland programs) improvements and
bugfixes:
- - Fixed an iked(8) policy lookup edge case for simultaneous transport and tunnel mode SAs.
- Added AES-GCM mode ciphers for IKEv2, configurable in iked.conf(5) with the new "ikesa enc" options aes-128-gcm, aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.
-
- Added AES-GCM ciphers to the default proposals for IKE and Child SAs resulting in considerable performance improvements with hardware acceleration support.
-
- Fixed iked(8) public key authentication interoperability with *swan and other IKEv2 implementations by making CERT and CERTREQ payloads optional.
-
- Prioritized incoming certificate requests by the order of CERTEQ payloads in the received message in iked(8).
-
- Added optional iked(8) time-stamp validation for OCSP.
-
- Prevented concurrent CREATE_CHILD_SA and INFORMATION exchanges in iked(8).
+
- Enabled AES-GCM ciphers by default for IKE and Child SAs resulting in considerable performance improvements with hardware acceleration support.
+
- Enabled SHA2_384 and SHA2_512 by default for improved compatibilty.
- Added the new iked(8) configuration option "set enforcesingleikesa" to limit the number of connections for each peer.
-
- Added a dpd_check_interval configuration option to iked.conf(5).
-
- Allowed disabling of iked(8) DPD liveness checks by setting dpd_check_interval to 0 in iked.conf(5).
+
- Added optional iked(8) time-stamp validation for OCSP.
- Added a 30 second timeout for OCSP requests in iked(8).
- Added a new "set cert_partial_chain" config option to iked.conf(5) to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca.
+
- Added a dpd_check_interval configuration option to iked.conf(5).
+
- Allowed disabling of iked(8) DPD liveness checks by setting dpd_check_interval to 0 in iked.conf(5).
+
- Made iked(8) use the CA certificate for the OCSP issuer and respect the OCSP url from the issuer certificate.
+
- Fixed iked(8) public key authentication interoperability with *swan and other IKEv2 implementations by making CERT and CERTREQ payloads optional.
+
- Fixed an iked(8) policy lookup edge case for simultaneous transport and tunnel mode SAs.
- Fixed a dst/src iked(8) port configuration bug with multiple flows.
+
- Prioritized incoming certificate requests by the order of CERTEQ payloads in the received message in iked(8).
+
- Prevented concurrent CREATE_CHILD_SA and INFORMATION exchanges in iked(8).
- Handled iked(8) TEMPORARY_FAILURE notification on IKESA rekeying.
+
- Fixed multiple bugs with pfkey acquire messages.
tmux(1) improvements and bug fixes: