]> git.ipfire.org Git - thirdparty/strongswan.git/commitdiff
projects / thirdparty / strongswan.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0e621f6)
testing: Configure curve25519-sha256 as key exchange for SSH
authorTobias Brunner <tobias@strongswan.org>
Mon, 26 Jun 2023 12:20:14 +0000 (14:20 +0200)
committerTobias Brunner <tobias@strongswan.org>
Thu, 13 Jul 2023 08:48:53 +0000 (10:48 +0200)
With Debian bookworm, the PQC KE sntrup761x25519-sha512 is negotiated, by
default.  This increases the overhead significantly, in particular, the
size of the KE message, which wouldn't get through IPsec tunnels without
MSS clamping.

testing/hosts/default/etc/ssh/sshd_config patch | blob | blame | history

diff --git a/testing/hosts/default/etc/ssh/sshd_config b/testing/hosts/default/etc/ssh/sshd_config
index f4ced3e37420bc93440d07fbda44836f710a05b5..700c7caaf7f64008207e584c2a91ba25782c35eb 100644 (file)
--- a/testing/hosts/default/etc/ssh/sshd_config
+++ b/testing/hosts/default/etc/ssh/sshd_config
@@ -1,6 +1,7 @@
 Port 22
 Protocol 2
 Ciphers aes128-gcm@openssh.com
+KexAlgorithms curve25519-sha256
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 PermitRootLogin yes
Unnamed repository; edit this file 'description' to name the repository.