[strongSwan] Strongswan AUTH payload signature hash algorithm for certificate based authentication
Kalyani Garigipati (kagarigi)
kagarigi at cisco.com
Tue Oct 11 19:20:49 CEST 2016
I am trying to bring up ikev2 sa between strongswan and cisco router.
The authentication method used is certificates and prf algorithm is SHA256.
· I wanted to know what is the hash algorithm that is used while generating the signature in AUTH payload for strongswan.
Is it SHA1 or SHA256 ?
· I observed that if I generate the signature in AUTH payload using SHA256, it fails the signature validation
If I generate the signature in authentication payload using SHA1 , it passes the signature validation.
RFC quotes below in page 94 of 5996
RSA Digital Signature 1
Computed as specified in Section 2.15<https://tools.ietf.org/html/rfc5996#section-2.15> using an RSA private key
with RSASSA-PKCS1-v1_5 signature scheme specified in [PKCS1<https://tools.ietf.org/html/rfc5996#ref-PKCS1>]
(implementers should note that IKEv1 used a different method for
RSA signatures). To promote interoperability, implementations
that support this type SHOULD support signatures that use SHA-1
as the hash function and SHOULD use SHA-1 as the default hash
function when generating signatures
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users