[MediaWiki-commits] [Gerrit] IPsec: improved cipher selection - change (operations/puppet)

Tue, 31 Mar 2015 23:45:07 -0700 

Gage has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/201135

Change subject: IPsec: improved cipher selection
......................................................................

IPsec: improved cipher selection

* For clarity, specify GCM in bytes instead of bits to match proposal output
* For clarity, explictly specify null integrity algorithm
* Select pseudorandom function (PRF): SHA2_384
* ECDH: select Brainpool curve with 384-bit key
* ESP: Enable 64-bit extended sequence numbers (ESN)
* https://wikitech.wikimedia.org/wiki/IPsec#Cipher_selection
* https://wikitech.wikimedia.org/wiki/IPsec#Cipher_proposals

Change-Id: If2ac2b1def677dbcbf8cc95c849c4b6283e3c2dc
---
M modules/strongswan/templates/ipsec.conf.erb
1 file changed, 4 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/35/201135/1

diff --git a/modules/strongswan/templates/ipsec.conf.erb 
b/modules/strongswan/templates/ipsec.conf.erb
index f7c857a..3adc3f9 100644
--- a/modules/strongswan/templates/ipsec.conf.erb
+++ b/modules/strongswan/templates/ipsec.conf.erb
@@ -38,11 +38,10 @@
 
 conn %default
        # https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
-       # 
https://wiki.strongswan.org/projects/strongswan/wiki/CipherSuiteExamples
-       # http://www.strongswan.org/uml/testresults/ikev2/alg-aes-gcm/
-       # modp2048 = DH group 14
-       ike=aes128gcm128-aesxcbc-modp2048!
-       esp=aes128gcm128-modp2048!
+       # https://wikitech.wikimedia.org/wiki/IPsec#Cipher_selection
+       # https://wikitech.wikimedia.org/wiki/IPsec#Cipher_proposals
+       ike=aes128gcm16-null-prfsha384-ecp384bp!
+       esp=aes128gcm16-null-ecp384bp-esn!
        type=transport
        auto=start
 

-- 
To view, visit https://gerrit.wikimedia.org/r/201135
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: If2ac2b1def677dbcbf8cc95c849c4b6283e3c2dc
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Gage <jger...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to