From: Martin Willi <martin@revosec.ch>
Date: Mon, 11 Jun 2012 13:48:03 +0000 (+0200)
Subject: Add documentation for signature hash algorithm enforcing to man ipsec.conf
X-Git-Tag: 5.0.0~120
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7c4214bd385be9a754facec116562183c447bddc;p=thirdparty%2Fstrongswan.git

Add documentation for signature hash algorithm enforcing to man ipsec.conf
---

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 0385a02af6..d27861a08a 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -485,12 +485,19 @@ to (require the) use of the Extensible Authentication Protocol in IKEv2, and
 .B xauth
 for IKEv1 eXtended Authentication.
 To require a trustchain public key strength for the remote side, specify the
-key type followed by the strength in bits (for example
-.BR rsa-2048
+key type followed by the minimum strength in bits (for example
+.BR ecdsa-384
 or
-.BR ecdsa-256 ).
+.BR rsa-2048-ecdsa-256 ).
+To limit the acceptable set of hashing algorithms for trustchain validation,
+append hash algorithms to
+.BR pubkey
+or a key strength definition (for example
+.BR pubkey-sha1-sha256
+or
+.BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ).
 For
-.B eap,
+.B eap ,
 an optional EAP method can be appended. Currently defined methods are
 .BR eap-aka ,
 .BR eap-sim ,