From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 19 Sep 2017 09:04:37 +0000 (+0200)
Subject: proposal: Remove MODP-1024 from default IKE proposal
X-Git-Tag: 5.6.1rc1~8
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=76c58498efd1a80a70966889bd3fdc3b9e863b06;p=thirdparty%2Fstrongswan.git

proposal: Remove MODP-1024 from default IKE proposal

RFC 8247 demoted it to SHOULD NOT. This might break connections with
Windows clients unless they are configured to use a stronger group or
matching weak proposals are configured explicitly on the server.

References #2427.
---

diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index b4245d3de4..46c3c9400a 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -973,6 +973,8 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 				/* only for testing purposes */
 				break;
 			case MODP_768_BIT:
+			case MODP_1024_BIT:
+			case MODP_1536_BIT:
 				/* weak */
 				break;
 			case MODP_1024_160:
@@ -980,7 +982,6 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 			case MODP_2048_256:
 				/* RFC 5114 primes are of questionable source */
 				break;
-			case MODP_1536_BIT:
 			case ECP_224_BIT:
 			case ECP_224_BP:
 			case ECP_192_BIT:
@@ -988,7 +989,6 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
 				/* rarely used */
 				break;
 			case MODP_2048_BIT:
-			case MODP_1024_BIT:
 				add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
 				break;
 			default: