From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 10 Mar 2016 10:46:44 +0000 (+0100)
Subject: NEWS: Added note on online revocation checks during make-before-break reauthentication
X-Git-Tag: 5.4.0rc1~10^2
X-Git-Url: https://git.strongswan.org/?p=strongswan.git;a=commitdiff_plain;h=b4337c5b027871d6bb076b85d9a8699f86a74fa6

NEWS: Added note on online revocation checks during make-before-break reauthentication
---

diff --git a/NEWS b/NEWS
index fcb89f0..1d69cd8 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,15 @@ strongswan-5.4.0
   constraints against IKEv2 authentication in rightauth, which allows the use
   of different signature schemes for trustchain verification and authentication.
 
+- The initiator of an IKEv2 make-before-break reauthentication now suspends
+  online certificate revocation checks (OCSP, CRLs) until the new IKE_SA and all
+  CHILD_SAs are established.  This is required if the checks are done over the
+  CHILD_SA established with the new IKE_SA.  This is not possible until the
+  initiator installs this SA and that only happens after the authentication is
+  completed successfully.  So we suspend the checks during the reauthentication
+  and do them afterwards, if they fail the IKE_SA is closed.  This change has no
+  effect on the behavior during the authentication of the initial IKE_SA.
+
 - For the vici plugin a Vici:Session Perl CPAN module has been added to allow
   Perl applications to control and/or monitor the IKE daemon using the VICI
   interface, similar to the existing Python egg or Ruby gem.