[Swan] PSK length in FIPS mode
John Serink
jserink2004 at yahoo.com
Fri Jun 26 00:22:34 UTC 2020
Hi Paul:
Thanx for the response.Once I sorted out my security policies on the Cisco I all worked even with the warning.
Yes, 12 chars is quite small, I'l have to look at that.
cheers,john
Sent from Yahoo Mail on Android
On Wed, 24 Jun 2020 at 7:13 AM, Paul Wouters<paul at nohats.ca> wrote: On Tue, 23 Jun 2020, John Serink wrote:
> I am using libreswan to connect to a Cisco 4431 IOS based router.
> I am getting this error when using a 12 byte PSK:
> Jun 23 16:52:19 [pluto] "XXXX" #2: WARNING: connection XXXX PSK length of 8 bytes is too short for sha PRF in FIPS mode (10 bytes
> required)
>
> Here is the entry in the ipsec.secrets file:
> A.B.C.D : PSK "abcdefrghast"
>
> The PSK is 12 bytes.
I tried to reproduce this.
002 "westnet-eastnet-ipv4-psk-ikev2" #1: WARNING: connection westnet-eastnet-ipv4-psk-ikev2 PSK length of 12 bytes is too short for HMAC_SHA2_512 PRF in FIPS mode (32 bytes required)
What version of libreswan is this?
> I need to keep the PSK at 12 bytes as some industrial based routers we use in the field has a max of 12 bytes.
That is dangerously small, especially if you are using 12 ascii
characters and not true random hex.
> Is there any work around for this on libreswan?
It is only a warning when not running in FIPS mode. If you are running
in FIPS mode, then it might be a bug we have fixed on our end in the
past.
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200626/2b2cd98a/attachment.html>
More information about the Swan
mailing list