Project

General

Profile

Feature #2427

Implementing RFC 8247

Added by Noel Kuntze over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Category:
-
Target version:
Start date:
Due date:
Estimated time:
Resolution:
Fixed

Description

RFC 8247 mandates that support for certain algorithms is removed and for certain others is added for IKEv2:
Removed: E.g. prf-md5, hmac-md5, null encryption, modp1024s160, modp768
Added: E.g. RSASSA-PSS

Somebody will ineviteably ask for it.


Related issues

Related to Feature #2367: Android client - RSASSA-PSSClosed2017-06-24

Associated revisions

Revision 10da451f (diff)
Added by Tobias Brunner over 1 year ago

proposal: Remove MD5 from default IKE proposal

RFC 8247 demoted MD5 to MUST NOT.

References #2427.

Revision 76c58498 (diff)
Added by Tobias Brunner over 1 year ago

proposal: Remove MODP-1024 from default IKE proposal

RFC 8247 demoted it to SHOULD NOT. This might break connections with
Windows clients unless they are configured to use a stronger group or
matching weak proposals are configured explicitly on the server.

References #2427.

Revision 43b59d13 (diff)
Added by Tobias Brunner over 1 year ago

ikev2: Don't use SHA-1 for RFC 7427 signature authentication

RFC 8247 demoted it to MUST NOT.

References #2427.

Revision 1c4b392a
Added by Tobias Brunner over 1 year ago

Merge branch 'rsassa-pss'

This adds support for RSASSA-PSS signatures in IKEv2 digital signature
authentication (RFC 7427), certificates and CRLs etc., and when signing
credentials via pki tool. For interoperability with older versions, the
default is to use classic PKCS#1 signatures. To use PSS padding either enable
rsa_pss via strongswan.conf or explicitly use it either via ike:rsa/pss...
auth token or the --rsa-padding option of the pki tool.

References #2427.

History

#1 Updated by Tobias Brunner over 1 year ago

#2 Updated by Tobias Brunner over 1 year ago

  • Tracker changed from Issue to Feature
  • Status changed from New to Closed
  • Assignee set to Tobias Brunner
  • Target version set to 5.6.1
  • Resolution set to Fixed

Also available in: Atom PDF