Add documentation for signature hash algorithm enforcing to man ipsec.conf

author: Martin Willi <martin@revosec.ch> 2012-06-11 15:48:03 +0200
committer: Martin Willi <martin@revosec.ch> 2012-06-12 15:01:39 +0200
commit: 7c4214bd385be9a754facec116562183c447bddc (patch)
tree: 69538717d361a76daa4c673f10ac23b699617149 /man
parent: e35bbb974001682d1a6ab865bba044b3f9c1f6a3 (diff)
download: strongswan-7c4214bd385be9a754facec116562183c447bddc.tar.bz2
strongswan-7c4214bd385be9a754facec116562183c447bddc.tar.xz
1 files changed, 11 insertions, 4 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 0385a02af..d27861a08 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -485,12 +485,19 @@ to (require the) use of the Extensible Authentication Protocol in IKEv2, and
 .B xauth
 for IKEv1 eXtended Authentication.
 To require a trustchain public key strength for the remote side, specify the
-key type followed by the strength in bits (for example
-.BR rsa-2048
+key type followed by the minimum strength in bits (for example
+.BR ecdsa-384
 or
-.BR ecdsa-256 ).
+.BR rsa-2048-ecdsa-256 ).
+To limit the acceptable set of hashing algorithms for trustchain validation,
+append hash algorithms to
+.BR pubkey
+or a key strength definition (for example
+.BR pubkey-sha1-sha256
+or
+.BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ).
 For
-.B eap,
+.B eap ,
 an optional EAP method can be appended. Currently defined methods are
 .BR eap-aka ,
 .BR eap-sim ,
author	Martin Willi <martin@revosec.ch>	2012-06-11 15:48:03 +0200
committer	Martin Willi <martin@revosec.ch>	2012-06-12 15:01:39 +0200
commit	7c4214bd385be9a754facec116562183c447bddc (patch)
tree	69538717d361a76daa4c673f10ac23b699617149 /man
parent	e35bbb974001682d1a6ab865bba044b3f9c1f6a3 (diff)
download	strongswan-7c4214bd385be9a754facec116562183c447bddc.tar.bz2 strongswan-7c4214bd385be9a754facec116562183c447bddc.tar.xz