From 4270c8fcb07f37100889695d19a3a3e876f2a1b8 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 10 May 2017 19:32:53 +0200
Subject: stroke: Make 96-bit truncation for SHA-256 configurable

---
 man/ipsec.conf.5.in | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'man/ipsec.conf.5.in')

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index ee7d86089..fef44ae21 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -1141,6 +1141,13 @@ a value of 0 disables IPsec replay protection.
 .BR reqid " = <number>"
 sets the reqid for a given connection to a pre-configured fixed value.
 .TP
+.BR sha256_96 " = " no " | yes"
+HMAC-SHA-256 is used with 128-bit truncation with IPsec. For compatibility
+with implementations that incorrectly use 96-bit truncation this option may be
+enabled to configure the shorter truncation length in the kernel.  This is not
+negotiated, so this only works with peers that use the incorrect truncation
+length (or have this option enabled).
+.TP
 .BR tfc " = <value>"
 number of bytes to pad ESP payload data to. Traffic Flow Confidentiality
 is currently supported in IKEv2 and applies to outgoing packets only. The
-- 
cgit v1.2.3