neutron

VPNaaS: enable sha384/sha512 auth algorithms for *Swan drivers

Bug #1747654 reported by Hunt Xu on 2018-02-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Hunt Xu

Bug Description

When adding sha384 and sha512 auth algorithms for vendor drivers(bug #1638152), the commit message said "Openswan, Strongswan, Libreswan and Cisco CSR driver doesn't support" sha384 and sha512 as auth algorithms. However, after some research, all the *Swan drivers do support these two algorithms. So it is better to enable sha384/sha512 with *Swan drivers for security improvements.

- For StrongSwan, wiki pages back in Mid 2014: [1][2].
- For LibreSwan, wiki page back in May 2016: [3].
- For OpenSwan, it is not well documented. However, the code last changed in Jan 2014 shows its awareness of these two algorithms: [4]

[1]. https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites/16#Integrity-Algorithms
[2]. https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites/35#Integrity-Algorithms
[3]. https://libreswan.org/wiki/index.php?title=FAQ&oldid=20707#Which_ciphers_.2F_algorithms_does_libreswan_support.3F
[4]. https://github.com/xelerance/Openswan/blob/master/lib/libopenswan/alg_info.c

See original description

Tags:

Hunt Xu (huntxu) on 2018-02-06

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-06: Fix proposed to neutron-vpnaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/541250

Changed in neutron:
assignee:	nobody → Hunt Xu (huntxu)
status:	New → In Progress

Hunt Xu (huntxu) on 2018-02-06

Changed in neutron:
status:	In Progress → New

Cao Xuan Hoang (hoangcx) on 2018-02-07

summary:	- [RFE] VPNaaS: enable sha384/sha512 auth algorithms for Swan drivers + VPNaaS: enable sha384/sha512 auth algorithms for Swan drivers
Changed in neutron:
importance:	Undecided → Medium

Hunt Xu (huntxu) on 2018-02-07

Changed in neutron:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-20: Fix merged to neutron-vpnaas (master)

Reviewed: https://review.openstack.org/541250
Committed: https://git.openstack.org/cgit/openstack/neutron-vpnaas/commit/?id=03b6cc81876df2423c17532b8f2e0ef2bbb6a84b
Submitter: Zuul
Branch: master

commit 03b6cc81876df2423c17532b8f2e0ef2bbb6a84b
Author: Hunt Xu <email address hidden>
Date: Tue Feb 6 18:21:21 2018 +0800

Enable sha384/sha512 auth algorithms for *Swan drivers

Closes-Bug: #1747654
Change-Id: I84d3ac6379bc0b6d483b557f38f3a462f0f1f1bf

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-19: Fix included in openstack/neutron-vpnaas 13.0.0.0b1

This issue was fixed in the openstack/neutron-vpnaas 13.0.0.0b1 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.