[strongSwan] User openssl's PUBKEY_VERIFY instead of gmp's for CVE-2017-11185

karthik kumar kumarkarthikn at gmail.com
Tue Aug 22 10:03:52 CEST 2017

Hi Tobias,
   Thanks for the answer. So it looks like for us, by default, openssl
plugin does all the job (overriding gmp) which means almost invulnerable (
*almost* because rare case of openssl can't verify signature and so gmp
takes over) of CVE-2017-11185. woohooo !!!


On Tue, Aug 22, 2017 at 12:37 PM, Tobias Brunner <tobias at strongswan.org>

> Hi Karthik,
> > * I have increased the priory of gmp plugin, but openssl is loaded at
> > the last. I am thinking whichever is loaded last will override ?
> It's the other way around:  The first implementation registered will be
> used.  Unless it fails to load the key, then the next registered
> implementation will be considered.  The latter could also happen if you
> load a private key without specific type and don't have the pkcs1 plugin
> loaded, only the openssl plugin can load such keys directly, the others
> need the pkcs1 plugin to detect the type (or even to pre-parse the key).
> > * when both plugins have priority = 1 (load = yes) openssl is loaded
> > first and then gmp.
> That's due to the default plugin list (built by the configure script),
> which is used to order the plugins if they have the same priority.
> Regards,
> Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170822/8de175f8/attachment.html>

More information about the Users mailing list