Permalink
Browse files

doc: update man page to warn about RFC-5114 DH groups

And warn support will be removed in 2017
  • Loading branch information...
letoams committed Oct 12, 2016
1 parent 8bb4f97 commit a8923b53ed6bac606be4d1acfa8b1df1bb9b2076
Showing with 14 additions and 3 deletions.
  1. +5 −1 programs/configs/d.ipsec.conf/ike.xml
  2. +9 −2 programs/configs/d.ipsec.conf/phase2alg.xml
@@ -44,7 +44,11 @@ encryption is available, and should only be used for testing or benchmarking pur
insecure algorithms to be re-added to libreswan.
</para>
<para>Diffie-Hellman groups 22, 23 and 24 are also implemented as per RFC-5114. Instead of the modp
key syntax, use the "dh" keyword, for example <emphasis>ike=3des-sha1;dh23</emphasis>
key syntax, use the "dh" keyword, for example <emphasis>ike=3des-sha1;dh23</emphasis>. These specific
DH groups are extremely controversial and MUST NOT be used unless forced (administratively) by the other party.
Support for these groups will most likely be removed in 2017, as it cannot be proven these DH groups do not
have a cryptographic trapdoor embedded in them (a backdoor by the USG who gave us these primes without
revealing the seeds and generation process)
</para>
<para>The modp syntax will be removed in favour of the dh syntax.</para>
</listitem>
@@ -12,8 +12,15 @@ are necessarily supported here.</para>
instance, "3des-md5" or "aes256-sha1;modp2048" or "aes-sha1,aes-md5". When
specifying multiple algorithms, specify the PFSgroup last, e.g. "3des-md5,aes256-sha1;modp2048".
</para>
<para>For RFC-5114 DH groups, use the "dh" keyword, eg "aes256-sha1;dh23"
</para>
<para>For RFC-5114 DH groups, use the "dh" keyword, eg
"aes256-sha1;dh23". These specific DH groups are extremely controversial
and MUST NOT be used unless forced (administratively) by the other party.
Support for these groups will most likely be removed in 2017, as it
cannot be proven these DH groups do not have a cryptographic trapdoor
embedded in them (a backdoor by the USG who gave us these primes without
revealing the seeds and generation process) </para>
<para> The format for AH is AUTH followed by an optional PFSgroup. For
instance, "md5" or "sha1;modp1536".
</para>

0 comments on commit a8923b5

Please sign in to comment.