[Swan-dev] simplifying default IKEv1 IKE algorithms
Paul Wouters
paul at nohats.ca
Mon Feb 6 19:18:38 UTC 2017
On Mon, 6 Feb 2017, Andrew Cagney wrote:
>> I'm confused, this is IKEv1 specific?
>
> Yes, IKEv1 IKE specific.
>
>> If there is no ike line, then MD5 gets rejected right?
>
> By the responder, in FIPS mode, yes, it would be rejected. The call
> to ikev1_get_ike_prf_desc() would fail.
>
>> And serpent
>> or twofish or cast?
>
> By the responder, in FIPS mode, yes, it would be rejected. The call
> to ikev1_get_ike_encrypt_desc() would fail.
Those should still not be in the _default_ set for IKEv1 when not in
FIPS mode! Same for dh23/dh24 and modp1024!
Paul
More information about the Swan-dev
mailing list