it's VITAL to use a DH exchange that is strong enough that it doesn't weaken the AES stream.
I don't know how to choose that, and it's likely that the defaults I have choosen are not very good.
Or maybe I should just make the default the strongest setting and then if anyone changes they clearly have done so at their own risk...
okay http://www.rfc-editor.org/rfc/rfc2412.txt
and cbc mode is cipher block chaining. that means that each block depends on the previous, preventing replay attacks.
it's VITAL to use a DH exchange that is strong enough that it doesn't weaken the AES stream. I don't know how to choose that, and it's likely that the defaults I have choosen are not very good.
Or maybe I should just make the default the strongest setting and then if anyone changes they clearly have done so at their own risk...