[strongSwan] ECDSA Vulnerability Proof of Concept?

Andreas Steffen andreas.steffen at strongswan.org
Mon May 6 22:38:47 CEST 2013

Hi Kelly,

we generated a specially prepared ECDSA certificate containing
a zero length signature with which we proved that an actual exploit
is possible. But out of security considerations we do not want to
release this malformed certificate at the present moment.

If you want to run a test yourself just verify if the openssl
plugin has been built by checking the /usr/lib/ipsec/plugins/
directory for libstrongswan-openssl.so. If it is not present
then you have to enable the compilation with

   ./configure ...  --enable-openssl

If an explicit "charon.load" statement exists in /etc/strongswan.conf
and the openssl plugin is not included then add it explicitly.
But usually all compiled plugins are loaded implicitly during runtime.
Use the command

    ipsec statusall

to check if the openssl plugin is present.

Best regards


On 06.05.2013 10:20, klybzh22 at wifirst.net wrote:
> Hi all,
> I want to know if there is a proof a concept of the vulnerability with
> ECDSA authentication? (CVE-2013-2944)
> If not, i would to test that.
> I work on Debian with the 4.5.2-1.5 version of Strongswan. But i built
> Strongswan with the default crypto backend.
> Must i rebuilt Strongswan with the openssl plugin (./confiure --enable
> openssl) or can i force its use for the verification for example with
> the strongswan.conf file?
> Thanks
> Kelly

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130506/e8f94e3d/attachment.bin>

More information about the Users mailing list