<div dir="ltr">Thanks for your answer. I have a one further question, <div><br></div><div>I increased the priority of gmp plugin,</div><div><i>/etc/strongswan/strongswan.d/charon/gmp.conf: load = 2 </i></div><div><i>/etc/strongswan/strongswan.d/charon/openssl.conf: load = yes<br></i></div><div><br></div><div>and it results in gmp plugin loading first and then openssl, sample log line</div><div><br></div><div><i>Aug 20 03:48:20 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256 in plugin 'gmp' <br></i></div><div><i>Aug 20 03:48:20 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256 in plugin 'openssl'<br></i></div><div><br></div><div>Does this mean <i>PUBKEY_VERIFICATION </i>will be done by openssl or gmp plugin ? I am confused because,</div><div>* I have increased the priory of gmp plugin, but openssl is loaded at the last. I am thinking whichever is loaded last will override ?</div><div>* when both plugins have priority = 1 (load = yes) openssl is loaded first and then gmp. </div><div><br></div><div><br></div><div>Thanks</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Aug 20, 2017 at 8:22 PM, karthik kumar <span dir="ltr"><<a href="mailto:kumarkarthikn@gmail.com" target="_blank">kumarkarthikn@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5"><div><br><div class="gmail_quote"><div>On Sun, 20 Aug 2017 at 8:06 PM, Noel Kuntze <noel.kuntze+strongswan-users-<wbr>ml@thermi.consulting> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
On 20.08.2017 09:49, karthik kumar wrote:<br>
> Hi,<br>
> We are trying to mitigate CVE-2017-11185. We use older than 5.6.0 version of strongswan and upgrading will take significant time/effort.<br>
><br>
Why don't you patch?<br>
<br>
> The vulnerability is while gmp plugin doing signature verification, and I found that the same feature is provided by openssl (and gcrypt) so our plan is to use openssl plugin,<br>
> /<br>
> /<br>
> /OPENSSL is enabled /<br>
> /Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_<wbr>NULL in plugin 'openssl'/<br>
> /Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_<wbr>SHA1 in plugin 'openssl'/<br>
> /Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_<wbr>SHA224 in plugin 'openssl'/<br>
> /Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_<wbr>SHA256 in plugin 'openssl'/<br>
> /Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_<wbr>SHA384 in plugin 'openssl'/<br>
> /.... <and so on>/<br>
> /<br>
> /<br>
> /GMP/<br>
> Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_<wbr>NULL in plugin 'gmp'<br>
> Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_<wbr>SHA1 in plugin 'gmp'<br>
> Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_<wbr>SHA224 in plugin 'gmp'<br>
> Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_<wbr>SHA256 in plugin 'gmp'<br>
> Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_<wbr>SHA384 in plugin 'gmp'<br>
> ... <and so on><br>
><br>
> I have a couple of questions,<br>
> a. how do I determine if its safe to disable (load = no) the gmp plugin ? I compared all features of GMP listed in the log against openssl plugin features, and all of them are available in Openssl plugin. Is that enough or anything else I should consider checking before turning off gmp plugin ? (i have tested disabling gmp in my local and esp packets are created and sent properly)<br>
><br>
Your testing is faulty. strongSwan does not send ESP packets or does any traffic processing. It only sets up SAs and SPs. You need to check if the key exchange works.<br>
<br>
> b. I tried to increase the priority of openssl (load = 2) plugin. But I can't find a way to verify that signature verification is done by openssl plugin and not gmp plugin. Is there a way I can verify that ? (or rather how do I verify which plugin is executing certain feature when the same feature is provided by two loaded plugins)<br>
><br>
AFAIK There is no way to check that as of now. The logs mention the order of the plugins when they are loaded, if the logger configuration is correct. You can use the logs to figure out what plugin provides the functionality (it's the one that is loaded first).<br>
<br>
> Thanks<br>
><br>
<br>
</blockquote></div></div></div></div></blockquote></div><br></div>