On Wed, 2017-11-29 at 10:54 +0100, Luca Niccoli wrote: > Is there a specific reason the default cipher proposal by > strongswan doesn't offer aes256-sha256-prfsha256-modp1024 anymore? > Would it be possible to add it back?
Hi, see the first point in https://wiki.strongswan.org/versions/67: ==== Several algorithms were removed from the default ESP/AH and IKEv2 proposals in compliance with RFC 8221 and RFC 8247, respectively. Removed from the default ESP/AH proposal were the 3DES and Blowfish encryption algorithms and the HMAC-MD5 integrity algorithm. From the IKEv2 default proposal the HMAC-MD5 integrity algorithm and the MODP-1024 Diffie-Hellman group were removed (the latter is significant for Windows clients in their default configuration). These algorithms may still be used in custom proposals. ==== We don't intend to divert from upstream on that (quite the contrary actually), so no we won't add it back. I'll add a note to NEWS.Debian though, so users are warned at upgrade time. Regards, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part

