CVSROOT: /cvs
Module name: src
Changes by: to...@cvs.openbsd.org 2021/10/12 04:01:59
Modified files:
sbin/iked : iked.h ikev2.c policy.c
Log message:
Change responder to prefer DH group from KE payload.
Without this change the responder would always prefer the first DH
group configured in its policy. This would lead to invalid KE
messages that cause an additional exchange which old
implementations do not support correctly. Now we ignore the order
of DH groups in the policy and prefer the group from the policy
that matches the KE payload.
from markus@
ok patrick@
