Release and vulnerability announcements for strongSwan

strongSwan 5.8.1 Released

We are happy to announce the release of strongSwan 5.8.1, which is mainly a maintenance release but also supports an optional less strict matching of RDNs in DNs of X.509 certificates.

Less Strict Matching of RDNs in DNs of X.509 Certificates

RDNs in DNs of X.509 certificates can now optionally be matched less strict. The global strongswan.conf option charon.rdn_matching takes two alternative values (defaults to strict) that cause the matching algorithm to either ignore the order of matched RDNs (reordered) or additionally (relaxed) accept DNs that contain more RDNs than configured (unmatched RDNs are treated like wildcard matches).

Note that reordered and relaxed impose a considerable overhead on memory usage and runtime, in particular, for mismatches, compared to static.

So for example, the configured identity

C=CH, O=strongSwan, CN=*, SN=*

by default, matches a certificate with a subject DN like

C=CH, O=strongSwan,, SN=ZX52376

but doesn't match a certificate with the following subject DN

C=CH, O=strongSwan, SN=ZY85641,

as the order of the last two RDNs is different. Setting the mentioned configuration option to reordered would accept the second certificate too.

However, it wouldn't match a certificate with the following subject DN

C=CH, O=strongSwan, OU=Sales, SN=ZZ54273,

as the OU RDN isn't matched. This can be allowed by setting the option to relaxed, which treats the missing RDN like a wildcard match (i.e. as if OU=* was configured). Even with that setting, though, a certificate with the following subject DN wouldn't be accepted

C=CH, O=strongSwan,

because it misses the configured, and thus enforced, SN RDN.

Other Notable Features and Fixes

Download Complete Changelog