man: Fix documentation of pubkey constraints

Hash algorithms have to be repeated for multiple key types. References #2514.
2018-01-23 11:35:03 +01:00 · 2018-01-23 11:35:03 +01:00 · e698bdea24
parent bb58dfb9b5
commit e698bdea24
2 changed files with 6 additions and 4 deletions
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@ -609,9 +609,10 @@ To limit the acceptable set of hashing algorithms for trustchain validation,
 append hash algorithms to
 .BR pubkey
 or a key strength definition (for example
-.BR pubkey-sha1-sha256
+.BR pubkey-sha256-sha512 ,
+.BR rsa-2048-sha256-sha384-sha512 ,
 or
-.BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ).
+.BR rsa-2048-sha256-ecdsa-256-sha256-sha384 ).
 Unless disabled in
 .BR strongswan.conf (5),
 or explicit IKEv2 signature constraints are configured (see below), such key
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@ -587,8 +587,9 @@ connections.<conn>.remote<suffix>.auth = pubkey
 	key type followed by the minimum strength in bits (for example _ecdsa-384_
 	or _rsa-2048-ecdsa-256_). To limit the acceptable set of hashing algorithms
 	for trustchain validation, append hash algorithms to _pubkey_ or a key
-	strength definition (for example _pubkey-sha1-sha256_ or
-	_rsa-2048-ecdsa-256-sha256-sha384-sha512_).
+	strength definition (for example _pubkey-sha256-sha512_,
+	_rsa-2048-sha256-sha384-sha512_ or
+	_rsa-2048-sha256-ecdsa-256-sha256-sha384_).
 	Unless disabled in **strongswan.conf**(5), or explicit IKEv2 signature
 	constraints are configured (refer to the description of the **local**
 	section's **auth** keyword for details), such key types and hash algorithms