bump up the default Diffie-Hellman group to modp3072; ok mikeb@ djm@

diff --git a/sbin/ipsecctl/ike.c b/sbin/ipsecctl/ike.c
index f638d98..f4638c6 100644 (file)
--- a/sbin/ipsecctl/ike.c
+++ b/sbin/ipsecctl/ike.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ike.c,v 1.79 2015/01/16 06:39:58 deraadt Exp $        */
+/*     $OpenBSD: ike.c,v 1.80 2015/05/25 19:29:36 naddy Exp $  */
 /*
  * Copyright (c) 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
  *
@@ -362,7 +362,7 @@ ike_section_p2(struct ipsec_rule *r, FILE *fd)
                        return (-1);
                }
        } else
-               group_desc = "MODP_1024";
+               group_desc = "MODP_3072";
 
        /* the transform name must not include "," */
        if (key_length && (p = strchr(key_length, ',')) != NULL)
@@ -531,7 +531,7 @@ ike_section_p1(struct ipsec_rule *r, FILE *fd)
                        return (-1);
                };
        } else
-               group_desc = "MODP_1024";
+               group_desc = "MODP_3072";
 
        switch (r->ikeauth->type) {
        case IKE_AUTH_PSK:

diff --git a/sbin/ipsecctl/ipsec.conf.5 b/sbin/ipsecctl/ipsec.conf.5
index 2abe006..abb80f1 100644 (file)
--- a/sbin/ipsecctl/ipsec.conf.5
+++ b/sbin/ipsecctl/ipsec.conf.5
@@ -1,4 +1,4 @@
-.\"    $OpenBSD: ipsec.conf.5,v 1.148 2015/02/28 21:51:57 bentley Exp $
+.\"    $OpenBSD: ipsec.conf.5,v 1.149 2015/05/25 19:29:36 naddy Exp $
 .\"
 .\" Copyright (c) 2004 Mathieu Sauve-Frankel  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: February 28 2015 $
+.Dd $Mdocdate: May 25 2015 $
 .Dt IPSEC.CONF 5
 .Os
 .Sh NAME
@@ -345,7 +345,7 @@ will use the default values
 .Ar main ,
 .Ar hmac-sha1 ,
 .Ar aes ,
-.Ar modp1024 ,
+.Ar modp3072 ,
 and
 .Ar 3600 .
 .It Xo