[Swan-dev] defaults for ike= and esp= need updating?
Tuomo Soini
tis at foobar.fi
Tue Dec 13 16:16:37 UTC 2016
On Tue, 13 Dec 2016 10:53:18 -0500 (EST)
Paul Wouters <paul at nohats.ca> wrote:
> On Tue, 13 Dec 2016, Tuomo Soini wrote:
>
> > Sorry. We can't drop modp1024 from default ikev1 proposals before
> > windows fixes their algo support to include modp2048.
>
> It already needs to be dropped when in FIPS mode. I'm happy for
> people to need to specify modp1024 using an ike= line if they still
> need that today. We will put a big warning in the announcement and
> changelog.
Exactly my point. We know it will break a lot systems so we need to
give big warning.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
More information about the Swan-dev
mailing list