- Added AES-ECB, SHA-3 and SHAKE-256 support to the wolfssl plugin.
- Added AES-CCM support to the openssl plugin (#353).
- The x509 and the openssl plugins now consider the authorityKeyIdentifier, if available, before verifying signatures, which avoids unnecessary signature verifications after a CA key rollover if both CA certificates are loaded. The openssl plugin now does the same also for CRLs (the x509 plugin already did).
- The pkcs11 plugin better handles optional attributes like
CKA_TRUSTED, which previously depended on a version check (6537be9). - The NetworkManager backend (charon-nm) now supports using SANs as client identities, not only full DNs (#437).
- charon-tkm now handles IKE encryption.
- Send a MOBIKE update again if a a change in the NAT mappings is detected but the endpoints stay the same (e143a7d).
- A deadlock in the HA plugin introduced with 5.9.2 has been fixed (#456).
- DSCP values are now also set for NAT keepalives.
- The
ike_derived_keys()hook now receives more keys but in a different order (4e29d6f). - Converted most of the test case scenarios to the vici interface.
Refer to the 5.9.3 milestone for a list of all closed issues and pull requests.