[Swan] PSK length in FIPS mode
jserink2004 at yahoo.com
Fri Jun 26 00:22:34 UTC 2020
Thanx for the response.Once I sorted out my security policies on the Cisco I all worked even with the warning.
Yes, 12 chars is quite small, I'l have to look at that.
Sent from Yahoo Mail on Android
On Wed, 24 Jun 2020 at 7:13 AM, Paul Wouters<paul at nohats.ca> wrote: On Tue, 23 Jun 2020, John Serink wrote:
> I am using libreswan to connect to a Cisco 4431 IOS based router.
> I am getting this error when using a 12 byte PSK:
> Jun 23 16:52:19 [pluto] "XXXX" #2: WARNING: connection XXXX PSK length of 8 bytes is too short for sha PRF in FIPS mode (10 bytes
> Here is the entry in the ipsec.secrets file:
> A.B.C.D : PSK "abcdefrghast"
> The PSK is 12 bytes.
I tried to reproduce this.
002 "westnet-eastnet-ipv4-psk-ikev2" #1: WARNING: connection westnet-eastnet-ipv4-psk-ikev2 PSK length of 12 bytes is too short for HMAC_SHA2_512 PRF in FIPS mode (32 bytes required)
What version of libreswan is this?
> I need to keep the PSK at 12 bytes as some industrial based routers we use in the field has a max of 12 bytes.
That is dangerously small, especially if you are using 12 ascii
characters and not true random hex.
> Is there any work around for this on libreswan?
It is only a warning when not running in FIPS mode. If you are running
in FIPS mode, then it might be a bug we have fixed on our end in the
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan