>> For the responder, when no ike=, it defaults to accepting almost >> anything. That includes MD5, serpent, and twofish (but not cast, >> which is ESP only). > > > It should not include these three. Md5 is too weak and all md5 users > do sha1. And serpent/twofish are weird ducks and should not be used > unless explicitly configured.
Ok. That's a separate change; it will need some thought and libreswan in FIPS mode is already behaves correctly (I'd like to avoid the obvious hack of adding a hardwired switches to filter these out; perhaps a per-algorithm should_not flag similar to FIPS-compliant). Andrew _______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev
