man: Fix documentation of pubkey constraints

Hash algorithms have to be repeated for multiple key types.

References #2514.

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 774df75acc306a579d602e24566cca9b0c7f5603..eef6efaa0ad7e9c7d24bc6a7b31ae8f46681bd8b 100644 (file)
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -609,9 +609,10 @@ To limit the acceptable set of hashing algorithms for trustchain validation,
 append hash algorithms to
 .BR pubkey
 or a key strength definition (for example
-.BR pubkey-sha1-sha256
+.BR pubkey-sha256-sha512 ,
+.BR rsa-2048-sha256-sha384-sha512 ,
 or
-.BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ).
+.BR rsa-2048-sha256-ecdsa-256-sha256-sha384 ).
 Unless disabled in
 .BR strongswan.conf (5),
 or explicit IKEv2 signature constraints are configured (see below), such key

diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 2dd9ea3741b6a9342de5891391ada3b0d8e43caa..5675b31cab8e9abf8f8ec54bf1cc296bb4ed58c9 100644 (file)
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -587,8 +587,9 @@ connections.<conn>.remote<suffix>.auth = pubkey
        key type followed by the minimum strength in bits (for example _ecdsa-384_
        or _rsa-2048-ecdsa-256_). To limit the acceptable set of hashing algorithms
        for trustchain validation, append hash algorithms to _pubkey_ or a key
-       strength definition (for example _pubkey-sha1-sha256_ or
-       _rsa-2048-ecdsa-256-sha256-sha384-sha512_).
+       strength definition (for example _pubkey-sha256-sha512_,
+       _rsa-2048-sha256-sha384-sha512_ or
+       _rsa-2048-sha256-ecdsa-256-sha256-sha384_).
        Unless disabled in **strongswan.conf**(5), or explicit IKEv2 signature
        constraints are configured (refer to the description of the **local**
        section's **auth** keyword for details), such key types and hash algorithms