]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/commitdiff
projects / people / pmueller / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4f6790a)
IPsec: Drop SHA1 and MODP<=1536 from proposed ciphers
authorMichael Tremer <michael.tremer@ipfire.org>
Wed, 5 Apr 2017 10:42:55 +0000 (11:42 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Wed, 5 Apr 2017 10:42:55 +0000 (11:42 +0100)
IPsec is still proposing to use SHA1 and MODP-1536 or MODP-1024
when initiating a connection. These are considered weak although
many off-the-shelf hardware is still using this as defaults.

This patch disables those algorithms and additionally changes
default behaviour to only accept the configured cipher suites.

This might create some interoperability issues, but increases
security of IPFire-to-IPFire IPsec connections.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
html/cgi-bin/vpnmain.cgi patch | blob | blame | history

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index f4eccb1f0ef9c985f7fab7ae8f8616a48435dd0b..5c9a0f4d82e5f6afc1144fbf4349b4fec5e0903d 100644 (file)
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1897,15 +1897,15 @@ END
 
        #use default advanced value
        $cgiparams{'IKE_ENCRYPTION'}    = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
-       $cgiparams{'IKE_INTEGRITY'}             = 'sha2_512|sha2_256|sha'; #[19];
-       $cgiparams{'IKE_GROUPTYPE'}             = '4096|3072|2048|1536|1024'; #[20];
+       $cgiparams{'IKE_INTEGRITY'}             = 'sha2_512|sha2_256'; #[19];
+       $cgiparams{'IKE_GROUPTYPE'}             = '4096|3072|2048'; #[20];
        $cgiparams{'IKE_LIFETIME'}              = '3'; #[16];
        $cgiparams{'ESP_ENCRYPTION'}    = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
-       $cgiparams{'ESP_INTEGRITY'}             = 'sha2_512|sha2_256|sha1'; #[22];
-       $cgiparams{'ESP_GROUPTYPE'}             = '4096|3072|2048|1536|1024'; #[23];
+       $cgiparams{'ESP_INTEGRITY'}             = 'sha2_512|sha2_256'; #[22];
+       $cgiparams{'ESP_GROUPTYPE'}             = '4096|3072|2048'; #[23];
        $cgiparams{'ESP_KEYLIFE'}               = '1'; #[17];
        $cgiparams{'COMPRESSION'}               = 'on'; #[13];
-       $cgiparams{'ONLY_PROPOSED'}             = 'off'; #[24];
+       $cgiparams{'ONLY_PROPOSED'}             = 'on'; #[24];
        $cgiparams{'PFS'}                               = 'on'; #[28];
 }
 
Peter's tree of IPFire 2.x