[strongSwan] RNGs and OpenSSL
Jafar Al-Gharaibeh
jafar at atcorp.com
Thu Nov 9 21:38:57 CET 2017
Noel,
Thank you for the quick response. I did search through the
documentation and also the source code, but didn't find definitive
answers to my questions. Do you have some pointers?
I did see this in the man page which addresses my last question:
charon.plugins.openssl.engine_id [pkcs11]
ENGINE ID to use in the OpenSSL plugin.
charon.plugins.openssl.fips_mode [0]
Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B
enabled(2).
So, are these the only available options?
Thank you in advance,
Jafar
On 11/9/2017 2:29 PM, Noel Kuntze wrote:
> Use the power of documentation (man pages).
>
> On 09.11.2017 21:22, Jafar Al-Gharaibeh wrote:
>> Hi,
>>
>> I am compiling StrongSwan with these options:
>>
>> --enable-openssl #enables the OpenSSL crypto plugin.
>> #--enable-rdrand # don't enable Intel RDRAND random generator plugin.
>> --disable-random #disable RNG implementation on top of /dev/(u)random.
>>
>> Looking through the code, OpenSSL plugin itself provides an RNG plugin so I thought the above configuration
>> will make sure I'm using the OpenSSL RNG. Is my assumption correct?
>>
>> what if I enable rdrand above does that become the default for all random numbers used by strongswan ignoring OpenSSL's RNG?
>>
>> Does enabling those other RNG plugins have any effect on OpenSSL itself? I.e is there a way to set OpenSSL's RNG directly from Strongswan?
>>
>> For OpenSSL (and other plugins), where do I find a list of all supported configuration options? for example I found the following example on strongswan website, what other options I can set/unset there?
>>
>> charon {
>> load_modular = yes
>> interfaces_use = eth0
>> plugins {
>> openssl {
>> fips_mode = 0
>> }
>> include strongswan.d/charon/*.conf
>> }
>> }
>>
>>
>>
>> Many Thanks,
>> Jafar
More information about the Users
mailing list