Hide Forgot
Description of problem: 'ipsec auto --status' shows Blowfish being supported Actual results: # ipsec auto --status .... 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 .... 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128 Expected results: Customers have been supporting Blowfish with racoon in the field and may expect to be backward compatible when they migrate to openswan or when they setup an IPSEC connection running Racoon on one end and openswan on other side. Also we can certainly disable the usage of BlowFish algorithm support since its not approved list of FIPS 140-2 algorithms. ~rp
I've changed openswan's USE_EXTRACRYPTO option in Makefile.inc slightly. It was required to get the SHA2 family of functions, but it would bring in blowfish, twofish and serpent ciphers. I've moved the SHA2 into the default cipher list, so as of openswan 2.6.33+ Red Hat can disable USE_EXTRACRYPTO to not support blowfish/twofish/serpent, while keeping the SHA2 family supported. Note that this applies only to userland (IKE) support. For ESP, we load "all" the crypto modules we can find. You can prevent this my customising the _startnetkey script for the Red Hat build, or just ensure those kernel modules are not available at all. Note that ipsec auto --status will still show the ESP algo id number if you "rmmod blowfish" until it is restarted. I've just filed a bug on that in the openswan tracker.
Customer issue resolved and there has been no activity on the BZ for some time. Closing NOTABUG. Feel free to open a case with Red Hat Support via the Customer Portal if this is still an issue.