On Wed, 2017-11-29 at 10:54 +0100, Luca Niccoli wrote:
> Is there a specific reason the default cipher proposal by
> strongswan doesn't offer aes256-sha256-prfsha256-modp1024 anymore?
> Would it be possible to add it back? 

Hi,

see the first point in https://wiki.strongswan.org/versions/67:

====
    Several algorithms were removed from the default ESP/AH and IKEv2 proposals 
in compliance with
    RFC 8221 and RFC 8247, respectively. Removed from the default ESP/AH 
proposal were the
    3DES and Blowfish encryption algorithms and the HMAC-MD5 integrity 
algorithm. From the IKEv2 default
    proposal the HMAC-MD5 integrity algorithm and the MODP-1024 Diffie-Hellman 
group were removed (the
    latter is significant for Windows clients in their default configuration).
    These algorithms may still be used in custom proposals.
====

We don't intend to divert from upstream on that (quite the contrary actually),
so no we won't add it back. I'll add a note to NEWS.Debian though, so users
are warned at upgrade time.

Regards,
-- 
Yves-Alexis

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to