On Mon, 17 Feb 2020, John Crisp wrote:
No acceptable ECDSA/RSA-PSS ASN.1 signature hash proposal included for rsasig in I2 Auth Payload
Does the other end run strongswan? It is not handling RSA-PSS properly as per RFC. If you were using the libreswan default of authba=yrsasig, you can try changing it to authby=rsa-sha1 to disable all RC 7427 support.
responding to Main Mode from unknown peer 213.4.186.104:46309 OAKLEY_GROUP 2 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
If you _really_ want you can enable it at compile time with USE_DH2=true But everything that supports DH2 also supports DH5. We are pretty sure nationstates can successfully attack DH2. You really cannot expect to use crypto parameters that were already not the most secure TWENTY years ago to still keep working unmodified.
There is one drawback in increasing security levels. If people can't make it work, they'll just stick to the older insecure versions. And that helps no one really. So the question is how can I make my existing stuff work, or do I just have to revert to 3.29 ?
See above. But you should _really_ update your clients to at least DH5. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
