[strongSwan] ECDSA failures with Strongswan 5.0.2 and openssl 1.0.1e-fips

Daniel Pocock daniel at pocock.com.au
Fri Jul 5 10:07:25 CEST 2013

I'm seeing the same problem using the strongSwan binary packages for OpenWRT

E.g. trying to examine an ECDSA cert:

# ipsec pki -a --type ecdsa-priv  --in wrt1Key.der
building CRED_PRIVATE_KEY - ECDSA failed, tried 2 builders
parsing input failed

I'm using the 5.0.0-1 package - would somebody be able to rebuild the
package with ECDSA support enabled?

On 04/04/13 17:00, Scot Hutchinson wrote:
> I rebuilt strongswan with the CFLAGS you suggested and that resolved the issue we were seeing.
> Thanks.
> Scot
> ________________________________________
> From: Tobias Brunner [tobias at strongswan.org]
> Sent: Tuesday, April 02, 2013 11:50 AM
> To: Scot Hutchinson
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] ECDSA failures with Strongswan 5.0.2 and openssl 1.0.1e-fips
> Hi Scot,
>> Apr  2 15:18:16 00[LIB] feature PUBKEY:ECDSA in 'pem' plugin has unsatisfied dependency: PUBKEY:ECDSA
> It seems the openssl plugin was not built with ECDSA support.  Which is
> strange if you used ipsec pki on the same host to create the ECDSA keys
> and certificates.  The openssl plugin uses openssl/conf.h to detect
> which features the OpenSSL library was built with.  Did you perhaps
> build strongSwan before you reconfigured OpenSSL with ECC support?  Or
> are perhaps the wrong OpenSSL header files used by strongSwan?  If so,
> you might want to try adding -I/path/to/proper/openssl/headers to the
> strongSwan CFLAGS.
> Regards,
> Tobias
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list