-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
The Libreswan Project has released libreswan-4.0
This is a major feature and cleanup release.
The major release number was increased to signify some major changes.
Please ensure you extensively test libreswan 4.0 before upgrading
production systems.
Compatibility issues:
* The KLIPS IPsec stack has been removed - please switch to XFRMi to
use ipsecX devices.
* Obsolete algorithms removed/disabled (Serpent, Twofish, CAST,
MD5/SHA1, DH2, DH22-24, RIPEMD.
* Some compatibility keywords have been removed (mostly ones with "_")
* Some whack options have been removed and renamed
* ipsec status and ipsec trafficstatus output changes
* The default NSS database files (*.db) moved from /etc/ipsec.d to
/var/lib/ipsec/nss
* BUILD variables changed/renamed (see mk/config.mk)
* New BUILD variables (eg USE_NSS_KDF, USE_OLD_SELINUX)
* Removed BUILD variables SINGLE_CONF_DIR, EMIT_ISAKMP_SPI,
USE_KEYRR, TEST_INDECENT_PROPOSAL and ALLOW_MICROSOFT_BAD_PROPOSAL
* Renamed INC_* config variables
* Updates to _updown scripts (eg renamed _updown.xfrm)
* NETKEY options now called XFRM
* ipsec newhostkey no longer supports or requires --output
* Global ikeport/natport options removed for per conn port options
New features:
* Support for RFC 8229 IKE and ESP over TCP (requires Linux >= 5.8)
* Support for INTERMEDIATE exchange (draft-ietf-ipsecme-ikev2-intermediate)
* Support for NetBSD
* Improved support for OCP/clouds by supporting custom ikeports
* Failover and loadbalancing support for IKEv2 REDIRECT
* Improved certificate reloading support (ipsec whack --rereadcerts)
* ipsec.secrets no longer needed for RSA keys ( :RSA section is now ignored)
Bug fixes:
* Improved NAT/port switching
* Fix labeled IPsec (selinux) for IKEv1
* Improved ipsecX device support
* Fix traffic counters for updown script
* Work around for some Linux kernel versions with ACQUIRE bug
* Windows 10 rekey interoperability fix
We are really happy to see that this release contains contributions from over
30 individual developers. Please let us know if there is anything we can
do to help you with contributing to libreswan.
This latest version of libreswan can be downloaded from:
https://download.libreswan.org/libreswan-4.0.tar.gz
https://download.libreswan.org/libreswan-4.0.tar.gz.asc
The full changelog is available at: https://download.libreswan.org/CHANGES
Please report bugs either via one of the mailinglists or at our bug
tracker:
https://lists.libreswan.org/
https://bugs.libreswan.org/
Binary packages for RHEL/CentOS can be found at:
https://download.libreswan.org/binaries/
Binary packages for Fedora and Debian should be available in their
respective repositories a few days after this release.
See also https://libreswan.org/
v4.0 (October 14, 2020)
* KLIPS: Support for KLIPS completely removed [Paul]
* pluto: Removed support for deprecated algos: serpent, twofish, cast [Paul]
* IKEv2: EXPERIMENTAL: Support for RFC 8229 IKE/ESP over TCP [Andrew]
New per-conn keywords: listen-tcp=yes|no, tcponly=yes|no,
tcp-remoteport=
Requires: Linux kernel >= 5.8
* IKEv2: Support for leftikeport= / rightikeport= [Andrew/Paul]
* IKEv2: EXPERIMENTAL: Support for INTERMEDIATE Exchange [Yulia Kuzovkova/GSoC]
New keyword: intermediate=yes
* FIPS: Remove DH 23/24 from FIPS allowed list as per SP 800 56A Rev 3 [Paul]
* pluto: Support for rereading configured certificates from NSS [Myungjin Lee]
* pluto: plutodebug= keywords are now: base,cpu-usage,crypt,tmi,private [Andrew]
* pluto: find_pluto_xfrmi_interface() would only check first interface [Paul]
* pluto: ddos cookies-threshold and max-halfopen output was swapped [John Mah]
* pluto: Fix leased IP address leak [Andrew/Paul]
* pluto: Fix displaying PLUTO_BYTES_ counters [Paul]
* pluto: Replace/remove deprecated libselinux functions [Eduardo Barretto]
* pluto: Update selinux calls for Labeled IPsec support [Richard Haines]
* pluto: Memory leak fixes [Hugh]
* pluto: Remove unused per peer logging [Andrew]
* pluto: Cleanup logging code for minimal logging support [Andrew]
* pluto: Cleanup netlink / XFRM code [Hugh]
* pluto: xfrmi used mark-out for XFRMA_SET_MARK [Antony/Wolfgang]
* pluto: Support for ipsec0 interface to help migrate from KLIPS to XFRM [Paul]
* pluto: Fix logging some IKE messages to proper IKE SA state [Andrew]
* pluto: Remove global ikeport/nat-ikeport, add listen-udp/listen-tcp [Paul]
* pluto: Connections now have serial numbers which are logged [Paul/Andrew]
* pluto: No longer require :RSA sections in ipsec.secrets [Andrew]
* pluto: pluto chooses wrong raw RSA key (github#352) [Andrew]
* seccomp: Update syscall allowlist for pluto and addconn [Paul]
* whack: Support for ipsec whack --rereadcerts [Paul]
* whack: Rename --ikev1-allow and --ikev2-allow to --ikev1 and --ikev2 [Paul]
* whack: Clear inherited defaults for IKEv2 from IKEv1 connections [Paul]
* show: Fixup for python3 version of ipaddress module