[strongSwan-dev] [PATCH] For PFS prefer DH group from IKE_SA over first configured
Thomas Egerer
thomas.egerer at secunet.com
Fri Aug 23 14:15:44 CEST 2013
If PFS is configured for a CHILD_SA first try to create a list of
proposals with using DH group negotiated during phase 1. If the
resulting list is empty (i.e. the DH group(s) configured for PFS differ
from the one(s) configured for the IKE_SA), fall back to the first
configured DH group from the CHILD_SA.
This modificiation is due to the fact that it is likely that the peer
supports the same DH group for PFS it did already for the IKE_SA.
Signed-off-by: Thomas Egerer <thomas.egerer at secunet.com>
---
src/libcharon/sa/ikev1/tasks/quick_mode.c | 72 +++++++++++++++++++++++--------
1 file changed, 54 insertions(+), 18 deletions(-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-For-PFS-prefer-DH-group-from-IKE_SA-over-first-confi.patch
Type: text/x-patch
Size: 3168 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20130823/2f906757/attachment.bin>
More information about the Dev
mailing list