-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When picking winning sec, properly filter out the ones we didn't declare #13
Comments
Eh, why'd they put sha1/aes at a lower q than sha1/null, especially when md5/aes is first :/ I guess that's enough motivation to support AUTH_HMAC_MD5 as well, that ought to be easy enough. I'll send a patch that supports md5 and picks the right pair |
martinetd@383ce05 should work better for this particular case; but thinking back this really should have worked: the Security-Server you gave as an example does list sha1/aes-cbc, with all other values (spi/ports) being identical, so while sha1+aes was't the first choice it should be supported... I didn't open a PR because your main branch is quite a bit far behind mine (alarm, some cleanup); but patch should apply cleanly if you want to try, and it should select md5/fix key length as you did so that'll probably work |
***@***.***
<martinetd@383ce05>
should work better for this particular case; but thinking back this really
should have worked: the Security-Server you gave as an example does list
sha1/aes-cbc, with all other values (spi/ports) being identical, so while
sha1+aes was't the first choice it should be supported...
Nope it shouldn't. The IPSec tunnel that the server prepared is the highest
q that is listed in both Security-Server and Security-Client. The server
doesn't prepare all intersecting variants
(maybe I misunderstood what you said)
Thanks for the commit. I wasn't aware I was late, I'll check up on that,
thanks.
Le ven. 7 juil. 2023 à 15:25, Dominique Martinet ***@***.***>
a écrit :
… ***@***.***
<martinetd@383ce05>
should work better for this particular case; but thinking back this really
should have worked: the Security-Server you gave as an example does list
sha1/aes-cbc, with all other values (spi/ports) being identical, so while
sha1+aes was't the first choice it should be supported...
I guess ultimately we'll have to leave it up to some configuration option
e.g. I sure would want to enable aes if there's a valid option that works
with aes even if it's not the first choice (the option could be "disallow
null encryption" or something simpler than actually selecting alg/ealg
though)
I didn't open a PR because your main branch is quite a bit far behind mine
(alarm, some cleanup); but patch should apply cleanly if you want to try,
and it should select md5/fix key length as you did so that'll probably work
—
Reply to this email directly, view it on GitHub
<#13 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAA4OQAOQOU3KHHYXREZNTXPAE4FANCNFSM6AAAAAAZ7IS2LU>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Ah, I was about to say we don't send hmac-md5 in our security-client, but you've patched that as well in your branch -- I'll fix that to also offer md5. Ok so that makes sense, we just need to make the option adjust what is sent in Security-Client when we add one. |
- filter out unsupported alg/ealg in Security-Server - handle hmac-md5-96 alg - also adjust test to make sure this isn't too far off Fixes: phhusson#13
If we don't tell the server we accept hmac-md5-96 the tunnel won't be setup with it Fixes: phhusson#13
@phhusson Sorry should have said I updated the commit, please also take martinetd@c862196 (tip of my securityserver branch) for the Security-Client value |
If we don't tell the server we accept hmac-md5-96 the tunnel won't be setup with it Fixes: #13
Jio has:
The text was updated successfully, but these errors were encountered: