From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 5 Apr 2017 10:42:55 +0000 (+0100)
Subject: IPsec: Drop SHA1 and MODP<=1536 from proposed ciphers
X-Git-Tag: v2.19-core111~93
X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=commitdiff_plain;h=570d54fd84ead452753ac7fd498c7ee760caa3ff

IPsec: Drop SHA1 and MODP<=1536 from proposed ciphers

IPsec is still proposing to use SHA1 and MODP-1536 or MODP-1024
when initiating a connection. These are considered weak although
many off-the-shelf hardware is still using this as defaults.

This patch disables those algorithms and additionally changes
default behaviour to only accept the configured cipher suites.

This might create some interoperability issues, but increases
security of IPFire-to-IPFire IPsec connections.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index f4eccb1f0e..5c9a0f4d82 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -1897,15 +1897,15 @@ END
 
 	#use default advanced value
 	$cgiparams{'IKE_ENCRYPTION'}	= 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18];
-	$cgiparams{'IKE_INTEGRITY'}		= 'sha2_512|sha2_256|sha'; #[19];
-	$cgiparams{'IKE_GROUPTYPE'}		= '4096|3072|2048|1536|1024'; #[20];
+	$cgiparams{'IKE_INTEGRITY'}		= 'sha2_512|sha2_256'; #[19];
+	$cgiparams{'IKE_GROUPTYPE'}		= '4096|3072|2048'; #[20];
 	$cgiparams{'IKE_LIFETIME'}		= '3'; #[16];
 	$cgiparams{'ESP_ENCRYPTION'}	= 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21];
-	$cgiparams{'ESP_INTEGRITY'}		= 'sha2_512|sha2_256|sha1'; #[22];
-	$cgiparams{'ESP_GROUPTYPE'}		= '4096|3072|2048|1536|1024'; #[23];
+	$cgiparams{'ESP_INTEGRITY'}		= 'sha2_512|sha2_256'; #[22];
+	$cgiparams{'ESP_GROUPTYPE'}		= '4096|3072|2048'; #[23];
 	$cgiparams{'ESP_KEYLIFE'}		= '1'; #[17];
 	$cgiparams{'COMPRESSION'}		= 'on'; #[13];
-	$cgiparams{'ONLY_PROPOSED'}		= 'off'; #[24];
+	$cgiparams{'ONLY_PROPOSED'}		= 'on'; #[24];
 	$cgiparams{'PFS'}				= 'on'; #[28];
 }