[strongSwan] ECDSA Vulnerability Proof of Concept?
andreas.steffen at strongswan.org
Mon May 6 22:38:47 CEST 2013
we generated a specially prepared ECDSA certificate containing
a zero length signature with which we proved that an actual exploit
is possible. But out of security considerations we do not want to
release this malformed certificate at the present moment.
If you want to run a test yourself just verify if the openssl
plugin has been built by checking the /usr/lib/ipsec/plugins/
directory for libstrongswan-openssl.so. If it is not present
then you have to enable the compilation with
./configure ... --enable-openssl
If an explicit "charon.load" statement exists in /etc/strongswan.conf
and the openssl plugin is not included then add it explicitly.
But usually all compiled plugins are loaded implicitly during runtime.
Use the command
to check if the openssl plugin is present.
On 06.05.2013 10:20, klybzh22 at wifirst.net wrote:
> Hi all,
> I want to know if there is a proof a concept of the vulnerability with
> ECDSA authentication? (CVE-2013-2944)
> If not, i would to test that.
> I work on Debian with the 4.5.2-1.5 version of Strongswan. But i built
> Strongswan with the default crypto backend.
> Must i rebuilt Strongswan with the openssl plugin (./confiure --enable
> openssl) or can i force its use for the verification for example with
> the strongswan.conf file?
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
More information about the Users