[vpnc-devel] Updating the repository
jmvpnc at loplof.de
Thu Aug 10 22:11:31 CEST 2006
On Thu, Aug 10, 2006 at 06:02:16PM +0200, Dan Villiom Podlaski Christiansen wrote:
> I can't tell from the code how vpnc would behave when no supported
> encryption is found.
The negotiation of transform sets will fail.
> However, it appears single DES won't be used unless
> the above option is used.
That's how it is today, but there is a simple alternative: When we (as
the initiator) send the list of our supported transform sets, then we
could (at the end of the list) include 1des and null. *If* the
concentrator then sends one of these two (1des, null) transform sets
back to us we check, whether that option was acutally configured. If
not, we terminate the negotiation and print a message saying that we do
not support such a weak encryption without explicit configuration.
> Perhaps that message should be extended to reflect that cipher
> negotiation failed.
I think the way I describe above should be the way to go. Corrections
and better ideas should of course be preferred.
Joerg Mayer <jmayer at loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
More information about the vpnc-devel