We are happy to announce the release of strongSwan 5.9.3, which supports IKE encryption via TKM, adds more algorithms to the wolfssl plugin and brings several other new features and fixes.
IKE Encryption via TKM
The Trusted Key Manager (TKM) and strongSwan's corresponding IKE daemon charon-tkm gained support to encrypt IKE messages. That way, the IKE daemon won't see any key material at all.
More Algorithms for the wolfssl Plugin
By adding support for AES-ECB, SHA-3 and SHAKE-256 even more other plugins can be disabled when relying on wolfSSL as cryptographic backend.
Other Notable Features and Fixes
- The x509 and the openssl plugins now consider the authorityKeyIdentifier, if available, before verifying signatures, which avoids unnecessary signature verifications after a CA key rollover if both CA certificates are loaded. The openssl plugin now does the same also for CRLs (the x509 plugin already did).
- The NetworkManager backend (charon-nm) now supports using SANs as client identities, not only full DNs.
- The pkcs11 plugin better handles optional attributes like
CKA_TRUSTED, which previously depended on a version check.