diff options
author | vanhu <vanhu@FreeBSD.org> | 2011-02-18 09:40:13 +0000 |
---|---|---|
committer | vanhu <vanhu@FreeBSD.org> | 2011-02-18 09:40:13 +0000 |
commit | b5386e15c14dd35dcd82a748b00a7a741b1238f9 (patch) | |
tree | 7caf902dec994fcea8dd9be967378950d398ba35 /UPDATING | |
parent | f9ba5edcb6ab519d38ac8a40899df85ba5713843 (diff) | |
download | FreeBSD-src-b5386e15c14dd35dcd82a748b00a7a741b1238f9.zip FreeBSD-src-b5386e15c14dd35dcd82a748b00a7a741b1238f9.tar.gz |
Fixed IPsec's HMAC_SHA256-512 support to be RFC4868 compliant.
This will break interoperability with all older versions of
FreeBSD for those algorithms.
Reviewed by: bz, gnn
Obtained from: NETASQ
MFC after: 1w
Diffstat (limited to 'UPDATING')
-rw-r--r-- | UPDATING | 10 |
1 files changed, 10 insertions, 0 deletions
@@ -9,6 +9,16 @@ handbook. Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20110218: + IPsec's HMAC_SHA256-512 support has been fixed to be RFC4868 + compliant, and will now use half of hash for authentication. + This will break interoperability with all stacks (including all + actual FreeBSD versions) who implement + draft-ietf-ipsec-ciph-sha-256-00 (they use 96 bits of hash for + authentication). + The only workaround with such peers is to use another HMAC + algorithm for IPsec ("phase 2") authentication. + NOTE TO PEOPLE WHO THINK THAT FreeBSD 9.x IS SLOW: FreeBSD 9.x has many debugging features turned on, in both the kernel and userland. These features attempt to detect incorrect use of |