modify ciphers #247

trailofbits · Apr 10, 2017 · c7fead5 · c7fead5
1 parent 92b07aa
commit c7fead5
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 9 deletions.
diff --git a/roles/vpn/defaults/main.yml b/roles/vpn/defaults/main.yml
@@ -21,12 +21,9 @@ strongswan_enabled_plugins:
   - x509
 
 ciphers:
-  old:
-    ike: aes128gcm16-sha2_256-prfsha256-ecp256!
-    esp: aes128gcm16-sha2_256-ecp256!
   defaults:
-    ike: aes192gcm16-prfsha512-ecp521!
-    esp: aes192gcm16-ecp521!
+    ike: aes128gcm16-sha2_512-prfsha512-ecp256!
+    esp: aes128gcm16-sha2_512-ecp256!
   windows:
-    ike: aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
-    esp: aes128gcm16-sha2_256-ecp256,aes256-sha2_256-modp2048!
+    ike: aes128gcm16-sha2_512-prfsha512-ecp256,aes128-sha2_256-prfsha256-modp2048!
+    esp: aes128gcm16-sha2_512-ecp256,aes128-sha2_256-modp2048!
diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2
@@ -64,7 +64,7 @@
                     <key>EncryptionAlgorithm</key>
                     <string>AES-128-GCM</string>
                     <key>IntegrityAlgorithm</key>
-                    <string>SHA2-256</string>
+                    <string>SHA2-512</string>
                     <key>LifeTimeInMinutes</key>
                     <integer>20</integer>
                 </dict>
@@ -85,7 +85,7 @@
                     <key>EncryptionAlgorithm</key>
                     <string>AES-128-GCM</string>
                     <key>IntegrityAlgorithm</key>
-                    <string>SHA2-256</string>
+                    <string>SHA2-512</string>
                     <key>LifeTimeInMinutes</key>
                     <integer>20</integer>
                 </dict>