[Pkg-swan-devel] Bug#883072: Bug#883072: strongswan-libcharon: Upgrade to 5.6.1-2 changed cypher proposals, can't connect to VPN anymore
Yves-Alexis Perez
corsac at debian.org
Wed Nov 29 12:34:24 UTC 2017
On Wed, 2017-11-29 at 10:54 +0100, Luca Niccoli wrote:
> Is there a specific reason the default cipher proposal by
> strongswan doesn't offer aes256-sha256-prfsha256-modp1024 anymore?
> Would it be possible to add it back?
Hi,
see the first point in https://wiki.strongswan.org/versions/67:
====
Several algorithms were removed from the default ESP/AH and IKEv2 proposals in compliance with
RFC 8221 and RFC 8247, respectively. Removed from the default ESP/AH proposal were the
3DES and Blowfish encryption algorithms and the HMAC-MD5 integrity algorithm. From the IKEv2 default
proposal the HMAC-MD5 integrity algorithm and the MODP-1024 Diffie-Hellman group were removed (the
latter is significant for Windows clients in their default configuration).
These algorithms may still be used in custom proposals.
====
We don't intend to divert from upstream on that (quite the contrary actually),
so no we won't add it back. I'll add a note to NEWS.Debian though, so users
are warned at upgrade time.
Regards,
--
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-swan-devel/attachments/20171129/aa478e9d/attachment.sig>
More information about the Pkg-swan-devel
mailing list