wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-04-26 19:14:01 +02:00
Code Issues Projects Releases Wiki Activity

Some enhances in the compat ciphers (#464)

Browse source 
raise the IntegrityCheckMethod to SHA384

Move Windows to ECDSA

Increase IntegrityCheckMethod
This commit is contained in:
Jack Ivanov 2017-04-23 22:00:37 +02:00 committed by Dan Guido
parent 0d1c760a63
commit 451394100d
5 changed files with 3 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
playbooks/facts/main.yml
View file

@ -35,8 +35,3 @@
- name: Define the commonName - name: Define the commonName
set_fact: set_fact:
IP_subject_alt_name: "{{ IP_subject_alt_name }}" IP_subject_alt_name: "{{ IP_subject_alt_name }}"
- name: Change the algorithm to RSA
set_fact:
algo_params: "rsa:2048"
when: Win10_Enabled is defined and Win10_Enabled == "Y"

4
roles/vpn/defaults/main.yml
View file

@ -25,5 +25,5 @@ ciphers:
ike: aes128gcm16-prfsha512-ecp256! ike: aes128gcm16-prfsha512-ecp256!
esp: aes128gcm16-ecp256! esp: aes128gcm16-ecp256!
compat: compat:
ike: aes128gcm16-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_256-prfsha256-modp2048! ike: aes128gcm16-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_384-prfsha384-ecp256!
esp: aes128gcm16-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_256-prfsha256-modp2048! esp: aes128gcm16-ecp256,aes128-sha2_512-prfsha512-ecp256!

4
roles/vpn/templates/client_ipsec.secrets.j2
View file

@ -1,5 +1 @@
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
{{ IP_subject_alt_name }} : RSA {{ item }}.key
{% else %}
{{ IP_subject_alt_name }} : ECDSA {{ item }}.key {{ IP_subject_alt_name }} : ECDSA {{ item }}.key
{% endif %}

2
roles/vpn/templates/client_windows.ps1.j2
View file

@ -1,3 +1,3 @@
certutil -f -p {{ easyrsa_p12_export_password }} -importpfx .\{{ item }}.p12 certutil -f -p {{ easyrsa_p12_export_password }} -importpfx .\{{ item }}.p12
Add-VpnConnection -name "Algo VPN {{ IP_subject_alt_name }} IKEv2" -ServerAddress "{{ IP_subject_alt_name }}" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required Add-VpnConnection -name "Algo VPN {{ IP_subject_alt_name }} IKEv2" -ServerAddress "{{ IP_subject_alt_name }}" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required
Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo VPN {{ IP_subject_alt_name }} IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo VPN {{ IP_subject_alt_name }} IKEv2" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA384 -DHGroup ECP256 -PfsGroup none

4
roles/vpn/templates/ipsec.secrets.j2
View file

@ -1,5 +1 @@
{% if Win10_Enabled is defined and Win10_Enabled == "Y" %}
: RSA {{ IP_subject_alt_name }}.key
{% else %}
: ECDSA {{ IP_subject_alt_name }}.key : ECDSA {{ IP_subject_alt_name }}.key
{% endif %}