From dc9acda297a0eebec6d38bcf7243305161ce6527 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Tue, 28 Jan 2025 14:27:02 +0100
Subject: Update charon.conf for bookworm.

---
 roles/common/files/etc/strongswan.d/charon.conf | 41 +++++++++++++++++++------
 1 file changed, 32 insertions(+), 9 deletions(-)

(limited to 'roles/common/files')

diff --git a/roles/common/files/etc/strongswan.d/charon.conf b/roles/common/files/etc/strongswan.d/charon.conf
index 7cbe7db..efb241c 100644
--- a/roles/common/files/etc/strongswan.d/charon.conf
+++ b/roles/common/files/etc/strongswan.d/charon.conf
@@ -8,7 +8,8 @@ charon {
     # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode.
     # accept_unencrypted_mainmode_messages = no
 
-    # Maximum number of half-open IKE_SAs for a single peer IP.
+    # Maximum number of half-open IKE_SAs (including unprocessed IKE_SA_INITs)
+    # for a single peer IP.
     # block_threshold = 5
 
     # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP
@@ -34,8 +35,13 @@ charon {
     # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
     # close_ike_on_child_failure = no
 
-    # Number of half-open IKE_SAs that activate the cookie mechanism.
-    # cookie_threshold = 10
+    # Number of half-open IKE_SAs (including unprocessed IKE_SA_INITs) that
+    # activate the cookie mechanism.
+    # cookie_threshold = 30
+
+    # Number of half-open IKE_SAs (including unprocessed IKE_SA_INITs) for a
+    # single peer IP that activate the cookie  mechanism.
+    # cookie_threshold_ip = 3
 
     # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
     # delete_rekeyed = no
@@ -62,9 +68,6 @@ charon {
     # checks.
     # dos_protection = yes
 
-    # Compliance with the errata for RFC 4753.
-    # ecp_x_coordinate_only = yes
-
     # Free objects during authentication (might conflict with plugins).
     # flush_auth_cfg = no
 
@@ -256,6 +259,10 @@ charon {
     # Whether to use RSA with PSS padding instead of PKCS#1 padding by default.
     # rsa_pss = no
 
+    # Whether to encode an explicit trailerField value of 0x01 in the RSA-PSS
+    # algorithmIdentifier (CONTEXT3) or using the DEFAULT value by omitting it.
+    # rsa_pss_trailerfield = no
+
     # Delay in ms for sending packets, to simulate larger RTT.
     # send_delay = 0
 
@@ -338,11 +345,12 @@ charon {
         # Includes source file names and line numbers in leak detective output.
         # detailed = yes
 
-        # Threshold in bytes for leaks to be reported (0 to report all).
+        # Threshold in bytes for allocations to be included in usage reports (0
+        # to include all).
         # usage_threshold = 10240
 
-        # Threshold in number of allocations for leaks to be reported (0 to
-        # report all).
+        # Threshold in number of allocations for allocations to be included in
+        # usage reports (0 to include all).
         # usage_threshold_count = 0
 
     }
@@ -374,15 +382,30 @@ charon {
         # List of TLS encryption ciphers.
         # cipher =
 
+        # List of TLS key exchange groups.
+        # ke_group =
+
         # List of TLS key exchange methods.
         # key_exchange =
 
         # List of TLS MAC algorithms.
         # mac =
 
+        # Whether to include CAs in a server's CertificateRequest message.
+        # send_certreq_authorities = yes
+
+        # List of TLS signature schemes.
+        # signature =
+
         # List of TLS cipher suites.
         # suites =
 
+        # Maximum TLS version to negotiate.
+        # version_max = 1.2
+
+        # Minimum TLS version to negotiate.
+        # version_min = 1.2
+
     }
 
     x509 {
-- 
cgit v1.2.3