From 3f1ef3a678159e1523f38a3e50ccb55afc4461a4 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 27 Feb 2015 19:19:13 +0100
Subject: [PATCH] NEWS: Introduce RFC 7427 signature authentication

---
 NEWS | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/NEWS b/NEWS
index 8dc5e31..69fbdd1 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,19 @@ strongswan-5.3.0
   as any previous strongSwan release) it must be explicitly enabled using
   the charon.make_before_break strongswan.conf option.
 
+- Support for "Signature Authentication in IKEv2" (RFC 7427) has been added.
+  This allows the use of stronger hash algorithms for public key authentication.
+  By default, signature schemes are chosen based on the strength of the
+  signature key, but specific hash algorithms may be configured in leftauth.
+
+- Key types and hash algorithms specified in rightauth are now also checked
+  against IKEv2 signature schemes.  If such constraints are used for certificate
+  chain validation in existing configurations, in particular with peers that
+  don't support RFC 7427, it may be necessary to disable this feature with the
+  charon.signature_authentication_constraints setting, because the signature
+  scheme used in classic IKEv2 public key authentication may not be strong
+  enough.
+
 - The new connmark plugin allows a host to bind conntrack flows to a specific
   CHILD_SA by applying and restoring the SA mark to conntrack entries. This
   allows a peer to handle multiple transport mode connections coming over the
-- 
2.7.4