From e698bdea247edd9f251ef6cd92cc75d4a31cc751 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 23 Jan 2018 11:35:03 +0100 Subject: [PATCH] man: Fix documentation of pubkey constraints Hash algorithms have to be repeated for multiple key types. References #2514. --- man/ipsec.conf.5.in | 5 +++-- src/swanctl/swanctl.opt | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 774df75acc..eef6efaa0a 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -609,9 +609,10 @@ To limit the acceptable set of hashing algorithms for trustchain validation, append hash algorithms to .BR pubkey or a key strength definition (for example -.BR pubkey-sha1-sha256 +.BR pubkey-sha256-sha512 , +.BR rsa-2048-sha256-sha384-sha512 , or -.BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ). +.BR rsa-2048-sha256-ecdsa-256-sha256-sha384 ). Unless disabled in .BR strongswan.conf (5), or explicit IKEv2 signature constraints are configured (see below), such key diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 2dd9ea3741..5675b31cab 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -587,8 +587,9 @@ connections..remote.auth = pubkey key type followed by the minimum strength in bits (for example _ecdsa-384_ or _rsa-2048-ecdsa-256_). To limit the acceptable set of hashing algorithms for trustchain validation, append hash algorithms to _pubkey_ or a key - strength definition (for example _pubkey-sha1-sha256_ or - _rsa-2048-ecdsa-256-sha256-sha384-sha512_). + strength definition (for example _pubkey-sha256-sha512_, + _rsa-2048-sha256-sha384-sha512_ or + _rsa-2048-sha256-ecdsa-256-sha256-sha384_). Unless disabled in **strongswan.conf**(5), or explicit IKEv2 signature constraints are configured (refer to the description of the **local** section's **auth** keyword for details), such key types and hash algorithms -- 2.47.2