diff options
author | Tobias Brunner <tobias@strongswan.org> | 2017-09-19 11:04:37 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2017-11-08 16:47:16 +0100 |
commit | 76c58498efd1a80a70966889bd3fdc3b9e863b06 (patch) | |
tree | d93cee8bc841b6a4d1133c2c5dadb131fa6db567 | |
parent | 10da451fc38c31476c26c5aa78ad3decc01e3a1f (diff) | |
download | strongswan-76c58498efd1a80a70966889bd3fdc3b9e863b06.tar.bz2 strongswan-76c58498efd1a80a70966889bd3fdc3b9e863b06.tar.xz |
proposal: Remove MODP-1024 from default IKE proposal
RFC 8247 demoted it to SHOULD NOT. This might break connections with
Windows clients unless they are configured to use a stronger group or
matching weak proposals are configured explicitly on the server.
References #2427.
-rw-r--r-- | src/libcharon/config/proposal.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c index b4245d3de..46c3c9400 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libcharon/config/proposal.c @@ -973,6 +973,8 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) /* only for testing purposes */ break; case MODP_768_BIT: + case MODP_1024_BIT: + case MODP_1536_BIT: /* weak */ break; case MODP_1024_160: @@ -980,7 +982,6 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) case MODP_2048_256: /* RFC 5114 primes are of questionable source */ break; - case MODP_1536_BIT: case ECP_224_BIT: case ECP_224_BP: case ECP_192_BIT: @@ -988,7 +989,6 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) /* rarely used */ break; case MODP_2048_BIT: - case MODP_1024_BIT: add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0); break; default: |