© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0f7b58d
(Get the code!)
The table titled "Diffie-Hellman groups" at the very end of this document[1], page 31, explicitly does NOT list modp6144:
modp2048 Regular group 14 (2048-bit modulus)
modp3072 Regular group 15 (3072-bit modulus)
modp4096 Regular group 16 (4096-bit modulus)
modp8192 Regular group 18 (8192-bit modulus)
modp2048s224 Modulo Prime Group 23 (2048-bit modulus, 224-bit subgroup)
modp2048s256 Modulo Prime Group 24 (2048-bit modulus, 256-bit subgroup)
ecp224 NIST Elliptic Curve Group 26
ecp256 NIST Elliptic Curve Group 19
ecp384 NIST Elliptic Curve Group 20
ecp521 NIST Elliptic Curve Group 21
But "Table 8 – Approved and Allowed Algorithms provided by the bound OpenSSL module" lists modp_6144, when provided by the openssl module.
I also checked the strongswan source package, and to no surprise, the patch that adds fips support also does not list MODP_6144.
At this point I'm unsure if the pdf is correct and the key thing is "when provided by openssl", or if it's a bug. I'll have to check with the "fips people". As far as I can tell, the openssl plugin is enabled by default. This algorithm can be provided by botan, openssl, and gcrypt. I'll check briefly if I'm using openssl in my test setup, and not one of the others.
1. https:/