Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New ciphers implementing #247 #352

Merged
merged 7 commits into from
Apr 11, 2017
Merged

New ciphers implementing #247 #352

merged 7 commits into from
Apr 11, 2017

Conversation

jackivanov
Copy link
Collaborator

@jackivanov jackivanov commented Apr 5, 2017
edited by defunctio
Loading

Additional testing required.
The cipher suite should be review

  • MacOS
  • iOS
  • Android
  • Windows
  • Ubuntu 17.04 (network-manager)

@dguido
Copy link
Member

dguido commented Apr 5, 2017
edited
Loading

I think we can keep aes128gcm16 and ecp256 unless there is a good reason to switch both. We should hardcode the prf (prfsha512) like before. IMHO default and windows should look like:

defaults:
ike: aes128gcm16-sha2_512-prfsha512-ecp256!
esp: aes128gcm16-sha2_512-ecp256!

windows:
ike: aes128gcm16-sha2_512-prfsha512-ecp256,aes128-sha2_256-prfsha256-modp2048!
esp: aes128gcm16-sha2_512-ecp256,aes128-sha2_256-modp2048!

(unless we find we can support something better on Windows after the Creators Update comes out)

@dguido
Copy link
Member

dguido commented Apr 5, 2017

This PR closes #247 btw

@dguido
Copy link
Member

dguido commented Apr 5, 2017

You need to change the mobileconfig too

defunctio
defunctio approved these changes Apr 5, 2017
View reviewed changes
Copy link
Contributor

@defunctio defunctio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@dguido
Copy link
Member

dguido commented Apr 5, 2017

Works on iOS 10.3.1

@jackivanov
Copy link
Collaborator Author

macOS 10.12.4 works

@defunctio
Copy link
Contributor

Ubuntu 17.04 confirmed with above requested changes.

@jackivanov
Revert "add URLStringProbe"
cfaf7fc 
This reverts commit b06524d.
@jackivanov
Copy link
Collaborator Author

Works on Windows 10

@anderm3
Copy link

anderm3 commented Apr 11, 2017

Works on Android 7.1.1 strongSwan 1.8.2

@defunctio defunctio merged commit 56a72e5 into master Apr 11, 2017
@jackivanov jackivanov deleted the new_cipher_suit branch April 12, 2017 16:58
@jauderho
Copy link
Contributor

Should the order be reversed?

Right now, it's

ciphers:
defaults:
ike: aes128gcm16-sha2_512-prfsha512-ecp256!
esp: aes128gcm16-sha2_512-ecp256!
compat:
ike: aes128-sha2_512-prfsha512-ecp256,aes128gcm16-sha2_512-prfsha512-ecp256,aes128-sha2_256-prfsha256-modp2048!
esp: aes128-sha2_512-ecp256,aes128gcm16-sha2_512-ecp256,aes128-sha2_256-modp2048!

Should it be

ciphers:
defaults:
ike: aes128gcm16-sha2_512-prfsha512-ecp256!
esp: aes128gcm16-sha2_512-ecp256!
compat:
ike: aes128gcm16-sha2_512-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_256-prfsha256-modp2048!
esp: aes128gcm16-sha2_512-ecp256,aes128-sha2_512-ecp256,aes128-sha2_256-modp2048!

@dguido
Copy link
Member

dguido commented Apr 15, 2017

Yes, it should! @gunph1ld can you please make this change? Strongest ciphers first.

@dguido
Copy link
Member

dguido commented Apr 15, 2017

@jauderho in your comment on going from AES256 to 128: the additional security margin gains nothing between the two sizes, but 128 will generate less overhead in terms of network, cpu, etc. We default to 128 when available.

faf0 pushed a commit to faf0/algo that referenced this pull request Dec 13, 2018
@gunph1ld @defunctio
New ciphers implementing trailofbits#247 (trailofbits#352)
5cd9f5c 
Switches to SHA2_512_256 HMAC integrity algorithm and adds cipher compatibility for other platforms.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@defunctio defunctio defunctio approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jackivanov @dguido @defunctio @anderm3 @jauderho