diff --git a/docs/modules/ROOT/nav.adoc b/docs/modules/ROOT/nav.adoc index 916f5bd0..c5a4c573 100644 --- a/docs/modules/ROOT/nav.adoc +++ b/docs/modules/ROOT/nav.adoc @@ -1,3 +1,6 @@ +.News +** xref:news/whatsNew.adoc[] + * xref:howtos/introduction.adoc[] * xref:howtos/ipsecProtocol.adoc[] diff --git a/docs/modules/ROOT/pages/index.adoc b/docs/modules/ROOT/pages/index.adoc index 0fc9b1bc..a33015b4 100644 --- a/docs/modules/ROOT/pages/index.adoc +++ b/docs/modules/ROOT/pages/index.adoc @@ -2,6 +2,7 @@ == Introduction +* xref:news/whatsNew.adoc[] * xref:howtos/introduction.adoc[An introduction to strongSwan] == Configuration Examples diff --git a/docs/modules/ROOT/pages/news/whatsNew.adoc b/docs/modules/ROOT/pages/news/whatsNew.adoc new file mode 100644 index 00000000..0e626412 --- /dev/null +++ b/docs/modules/ROOT/pages/news/whatsNew.adoc @@ -0,0 +1,135 @@ += What's New in strongSwan 6.0 + +:RELEASES: https://github.com/strongswan/strongswan/releases +:BOTAN: https://botan.randombit.net/ +:WOLFSSL: https://www.wolfssl.com/ +:AWSLC: https://aws.amazon.com/security/opensource/cryptography/ +:GMP: https://gmplib.org/ +:OPENSSL: https://openssl.org/ + +TIP: Please refer to the {RELEASES}[*full release notes*] for a complete list of +changes. + +== Plugins + +=== New Plugin + +The following new `*libstrongswan*` plugin has been *added*: + +[cols="5,22"] +|=== +|Plugin Name |Description + +|ml +|Module-Lattice-based crypto (ML-KEM) + +|=== + +NOTE: ML-KEM is also supported via {BOTAN}[Botan] (`*botan*` plugin), +{WOLFSSL}[wolfSSL] (`*wolfssl*` plugin), and {AWSLC}[AWS-LC] (`*openssl*` plugin). + +=== Removed Plugins + +The following deprecated `*libstrongswan*` plugins have been *removed*: + +[cols="5,22"] +|=== +|Plugin Name |Description + +|bliss +|Bimodal Lattice Signature Scheme (BLISS) post-quantum computer signature scheme + +|newhope +|Key exchange based on post-quantum computer New Hope algorithm + +|ntru +|Key exchange based on post-quantum computer NTRU encryption +|=== + +=== Default Plugins + +The powerful `*openssl*` crypto plugin is now *enabled* by default: + +[cols="5,22"] +|=== +|Plugin Name |Description + +|openssl +|Crypto backend based on the {OPENSSL}[OpenSSL] library +|=== + +Due to the nearly all-encompassing capabilities of the `*openssl*` default +crypto plugin, the following `*libstrongswan*` plugins are *not enabled* by +default anymore: + +[cols="5,22"] +|=== +|Plugin Name |Description + +|aes +|AES-128/192/256 cipher software implementation + +|curve25519 +|X25519 DH group and Ed25519 public key authentication + +|des +|DES/3DES cipher software implementation + +|fips-prf +|PRF specified by FIPS, used by EAP-SIM/AKA algorithms + +|gmp +|RSA/DH crypto backend based on {GMP}[libgmp] + +|hmac +|HMAC wrapper using various hashers + +|md5 +|MD5 hasher software implementation + +|pkcs12 +|PKCS#12 decoding routines + +|rc2 +|RC2 cipher software implementation + +|sha1 +|SHA1 hasher software implementation + +|sha2 +|SHA-2 hasher software implementation +|=== + +IMPORTANT: The legacy `*stroke*` management interface has been deprecated for many + years and has been replaced by the versatile xref:plugins/vici.adoc[`*vici*`] + management interface. Thus with strongSwan 6.0, the `*stroke*` plugin + is *not enabled* by default anymore and has to be built separately. + +[cols="5,22"] +|=== +|Plugin Name |Description + +|stroke +|Deprecated stroke configuration/control backend used with ipsec script and starter +|=== + +Thus the xref:/plugins/plugins.adoc#_default_plugins[following 25 plugins] are now +enabled by xref:/plugins/plugins.adoc#_default_plugins[default]. + +== Configuration Options + +The following xref:config/strongswanConf.adoc#_charon[`*strongswan.conf*`] +configuration option is now enabled by default: + +[cols="4,1,8"] +|=== +|*Key*|*Default*|*Description [Default]* + +|make_before_break |`yes` +|Initiate IKEv2 reauthentication with a *make-before-break* instead of a + *break-before-make* scheme. Make-before-break uses overlapping `IKE` and `CHILD SA` + during reauthentication by first recreating all new SAs before deleting the old + ones. This behavior can be beneficial to avoid connectivity gaps during + reauthentication, but requires support for overlapping SAs by the peer. + strongSwan can handle such overlapping SAs since version 5.3.0 +|===