New commits: commit 9c3e9ae9206d3bca637032c7f44ce93aa87094f2 Author: Paul Wouters <pwout...@redhat.com> Date: Thu Mar 8 22:42:29 2018 +0400
testing: update for sha2_truncbug output moving from bool to policy bit commit 976d1199cf251f0d00058b7964842e45cd3242a2 Author: Paul Wouters <pwout...@redhat.com> Date: Thu Mar 8 22:41:21 2018 +0400 pluto: clean up sha2_truncbug=yes code Don't use a bool in whack_message and connection, just use a policy bit. commit 221450c8e54cec15810e2cf2b13adb4677b75653 Author: Paul Wouters <pwout...@redhat.com> Date: Thu Mar 8 22:19:38 2018 +0400 testing: rename ikev2-algo-sha2-08 -> ikev2-algo-sha2-08-truncbug commit a031270cefc7a6dc197f2781777aa05b5ad5ebdd Author: Paul Wouters <pwout...@redhat.com> Date: Thu Mar 8 21:44:20 2018 +0400 pluto: add msdh-downgrade=yes|no (default no) configuration option This option stands for Microsoft DiffieHellman Downgrade. It is required for when a Microsoft Windows client is configured to use DH2048 using the registry value: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256 This option is partially broken, and at rekey times, Windows will fallback to its (very shamefully default weak) DH1024. This option allows you to let Windows use this very broken weak perfect forward secrecy protection anyway. Hopefully Windows will fix this soon. This commit adds the policy option POLICY_MSDH_DOWNGRADE but does not actually implement using this policy bit yet. _______________________________________________ Swan-commit mailing list Swan-commit@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-commit