Hi Harald, > Do you think it would be possible to dynamically change the input > form, depending upon whether its x509, PSK, smartcard or eap? The > current static design is the confusing part.
I guess so. If somebody wants to do it, patches are welcome. > I am not asking you to lower it. But the admin managing the PSKs > on his high-end VPN gateway on the peer doesn't know about this > restriction in strongswan. How would you like to address this? That strong secrets are enforced is already mentioned on the NM wiki page [1]. I guess we could add the actual minimum length. Or what did you have in mind? > Surely I understand that PSKs should be avoided in favor of server > certificate and EAP, but its hard for me to close a valid Debian bug > report about n-m-s, telling the user to drop PSKs and to try EAP > instead. Maybe it would help to officially set the PSK feature in > n-m-s to "deprecated"? I've no problem with that. Something like adding "(deprecated)" to the "Pre-shared key" entry of the authentication method drop-down field? Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager
