[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Thu Mar 8 18:43:36 UTC 2018
New commits:
commit 9c3e9ae9206d3bca637032c7f44ce93aa87094f2
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 8 22:42:29 2018 +0400
testing: update for sha2_truncbug output moving from bool to policy bit
commit 976d1199cf251f0d00058b7964842e45cd3242a2
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 8 22:41:21 2018 +0400
pluto: clean up sha2_truncbug=yes code
Don't use a bool in whack_message and connection, just use a policy bit.
commit 221450c8e54cec15810e2cf2b13adb4677b75653
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 8 22:19:38 2018 +0400
testing: rename ikev2-algo-sha2-08 -> ikev2-algo-sha2-08-truncbug
commit a031270cefc7a6dc197f2781777aa05b5ad5ebdd
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Mar 8 21:44:20 2018 +0400
pluto: add msdh-downgrade=yes|no (default no) configuration option
This option stands for Microsoft DiffieHellman Downgrade. It is
required for when a Microsoft Windows client is configured to use
DH2048 using the registry value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256
This option is partially broken, and at rekey times, Windows will
fallback to its (very shamefully default weak) DH1024. This option
allows you to let Windows use this very broken weak perfect forward
secrecy protection anyway. Hopefully Windows will fix this soon.
This commit adds the policy option POLICY_MSDH_DOWNGRADE but does not
actually implement using this policy bit yet.
More information about the Swan-commit
mailing list