Release and vulnerability announcements for strongSwan

strongSwan 5.9.9 Released

We are happy to announce the release of strongSwan 5.9.9, which unifies serial number handling, updates resolvconf handling, optionally makes listen() in VICI Python bindings time out and comes with several other new features and fixes.

Unified Handling of Serial Numbers

The x509 and the openssl plugins previously disagreed on whether to return serial numbers of certificates and CRLs with leading zeros or not. That could cause OCSP requests to contain an incorrect serial number if certificates were parsed by the openssl plugin.

This has been fixed and serial numbers are now expected to be returned in canonical form (i.e. without leading zeros) by plugins that implement the x509_t, crl_t and ac_t interfaces. Code that uses these interfaces may have to be adapted accordingly.

Updates to resolvconf Handling

The path/command that the resolve plugin uses to invoke resolvconf(8) is now configurable.

Since it caused problems with systemd's implementation of resolvconf (via symlink to resolvectl), the plugin does not invoke the command with individual interface names for each name server anymore. It previously did so with generated interface names by adding the server address as protocol suffix to a configurable prefix. Since systemd strips all that (an additional problem is that newer versions only strip stuff after the last dot causing it to not find a matching interface), it ended up with the same interface name for each one and every additional name server replaced the previous one for that interface. The plugin now uses a single, configurable interface/protocol name and provides all available name servers to resolvconf every time a name server is added or removed.

Optional Timeout for listen() in VICI Python Bindings

The listen() operation in the VICI Python bindings may now optionally time out. This can be useful when listening for events in a separate thread as that can otherwise not be canceled easily.

Note that support for Python 2 by these bindings has been dropped.

Other Notable Features and Fixes

  • The first reqid that's automatically assigned to a CHILD_SA is now configurable, which allows reserving low reqids for manual allocation.
  • Default values for soft lifetimes of CHILD_SAs configured via swanctl.conf/vici are now based on hard lifetimes if any are configured.
  • The kernel-netlink plugin now logs extended ACK error and warning messages provided by the Linux kernel, providing clearer messages to the users than the generic messages for error codes like ENOSYS did previously if the kernel e.g. doesn't support a specific algorithm.

Download Complete Changelog