[strongSwan] Some confusion about RSA and ECDSA support in Strongswan
Martin Willi
martin at strongswan.org
Fri Jan 4 17:56:12 CET 2013
Hi Christian,
> Do I have to enable the openssl support only for creating such
> certificates? (Currently on a Debian host with Strongswan 5.0.1)
> Or do I also need the openssl support during the key exchange?
During the exchange, you have to create and/or verify signatures using
the algorithm of the key in your certificates. So yes, you need the
openssl backend to create/verify ECDSA signatures.
> How about RSA? There is obviously no need for openssl for building a
> certificate with rsa keypairs. So there is an implementation in Strongswam
> itself, right?
Yes, our default RSA implementation comes with the "gmp" plugin, built
using the primitives from the GNU MP Bignum Library. But the OpenSSL
backend of course provides its own implementation of RSA, and so does
our gcrypt backend.
You can also have a look at the output of "ipsec listplugins", which
shows the features provided by each plugin. PRIVKEY_SIGN provides
signature capabilities for the given signature scheme, PUBKEY_VERIFY the
associated verification operation (while the PUBKEY/PRIVKEY provide just
loading of encoded keys, and PRIVKEY_GEN generation of keys).
Regards
Martin
More information about the Users
mailing list