[prev in list] [next in list] [prev in thread] [next in thread] 

List:       libreswan-commit
Subject:    [Swan-commit] Changes to ref refs/heads/master
From:       cagney () vault ! libreswan ! fi (Andrew Cagney)
Date:       2018-04-22 1:47:27
Message-ID: 20180422014727.2AE2B31E1F63 () vault ! libreswan ! fi
[Download RAW message or body]

New commits:
commit 4d8b5208772c31fdc9f90dc213ff8ed94d4f660f
Merge: 050397c 6957b3c
Author: Andrew Cagney <cagney@gnu.org>
Date:   Sat Apr 21 21:24:12 2018 -0400

    algparse: when PFS=yes, reject esp=aes,3des;dh21 - instead all or no proposals must specify DH
    
    For ESP/AH, and when PFS=yes, require either all proposals or no proposals
    specify a DH algorithm.  This makes things consistent with ike= and
    eliminates a loosly defined piece of syntax.
    
    IKEv1 also requires the same algorithm.
    IKEv2 allows one algorithm + none for now.
    
    For instance, the above should be changed to esp=aes;dh21,3des;dh21.
    
    Merge commit '6957b3cf11ea54c3668b5454d465901308ba0306'

commit 6957b3cf11ea54c3668b5454d465901308ba0306
Author: Andrew Cagney <cagney@gnu.org>
Date:   Sat Apr 21 20:29:13 2018 -0400

    testing: expect an error when esp=aes,3des;modp2048 et.al.

commit 95db0b62418f60d13cbc5f6413b4599f022042d6
Author: Andrew Cagney <cagney@gnu.org>
Date:   Sat Apr 21 20:23:26 2018 -0400

    algparse: when pfs=yes, reject aes,3des;modp2048
    
    Instead require explict DH be added to each proposal, i.e.
    aes;modp2048,3des;modp2048.  This way flipping between IKEv1
    and IKEv2 doesn't change the proposal choice.

_______________________________________________
Swan-commit mailing list
Swan-commit@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-commit
[prev in list] [next in list] [prev in thread] [next in thread]