[strongSwan] User openssl's PUBKEY_VERIFY instead of gmp's for CVE-2017-11185

Tobias Brunner tobias at strongswan.org
Tue Aug 22 09:07:17 CEST 2017

Hi Karthik,

> * I have increased the priory of gmp plugin, but openssl is loaded at
> the last. I am thinking whichever is loaded last will override ?

It's the other way around:  The first implementation registered will be
used.  Unless it fails to load the key, then the next registered
implementation will be considered.  The latter could also happen if you
load a private key without specific type and don't have the pkcs1 plugin
loaded, only the openssl plugin can load such keys directly, the others
need the pkcs1 plugin to detect the type (or even to pre-parse the key).

> * when both plugins have priority = 1 (load = yes) openssl is loaded
> first and then gmp. 

That's due to the default plugin list (built by the configure script),
which is used to order the plugins if they have the same priority.


More information about the Users mailing list