[IPSEC] Add additional curve-based DH Groups (31+)
DH Group 31/32 (incl. curve25519) variants are available in Strongswan and it would be nice to have them as additions to the DH Group dropdown.
#4 Updated by Jim Pingle about 1 month ago
- Status changed from Feedback to In Progress
That was quick. Fix is in upstream: https://wiki.strongswan.org/projects/strongswan/repository/revisions/97708f7ff7571a159ca9a3d03804ffc506469449/diff
Will test with that after 2.4.4-p3 ships and we have 2.5.0 snapshots going again.
#8 Updated by Jens Groh about 1 month ago
Jim Pingle wrote:
The first patch to add group 31 might, but the 32 would not since it requires a patch to strongSwan. I only tested on 2.5.0.
Not trying to add complexity to this. But a patch for DH31 capability I'd take for sure ;)
As german BSI recommends using elliptic curve ciphers like 25519-based, brainpool or secpxxxRy that would help against people using bad/old/unsafe cipher suites and settings (had to shout one down recently that tried to sneak a 3DES one in).
But really appreciate the fast response on that on in general! Thanks a lot!