[Swan-dev] What if ike=aes_gcm_a128-null; modp2048 matches nothing?
Paul Wouters
paul at nohats.ca
Mon Jan 5 18:20:36 EET 2015
On Mon, 5 Jan 2015, Andrew Cagney wrote:
> I'm trying to get pluto to negotiate ike=aes_gcm_a128-null;modp2048
> with a remote end.
>
> One unexpected behaviour I've encountered is that when
> oakley_alg_makedb() returns nothing - in my case it silently(1)
> rejected the null integrity algorithm - leading pluto to instead
> select AES_CBC. I suspect pluto should have instead aborted the
> connection.
> Ignoring my immediate bug, what should the correct behaviour be?
Yes, that would have been better. I guess what happens is that all the
failed entries are skipped, and if the endresult is nothing, then it
will pick up the default proposal list. I agree that we should just
fail the load the connection in that case.
Paul
More information about the Swan-dev
mailing list