[strongSwan] RNGs and OpenSSL

Jafar Al-Gharaibeh jafar at atcorp.com
Thu Nov 9 21:42:26 CET 2017 

What about?

what if I enable rdrand above does that  become  the default for all random numbers used by strongswan ignoring OpenSSL's RNG?

Does enabling those other RNG plugins have any effect on OpenSSL itself? I.e is there  a way to set OpenSSL's RNG directly from Strongswan?



On 11/9/2017 2:39 PM, Noel Kuntze wrote:
> Correct.
>
> On 09.11.2017 21:38, Jafar Al-Gharaibeh wrote:
>> Noel,
>>
>>    Thank you for the quick response. I did search through the documentation and also the source code, but didn't find definitive answers to my questions. Do you  have some pointers?
>>
>> I did see this in the man page which addresses my last question:
>>
>>   charon.plugins.openssl.engine_id [pkcs11]
>>                ENGINE ID to use in the OpenSSL plugin.
>>
>> charon.plugins.openssl.fips_mode [0]
>>                Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
>>
>>
>> So, are these the only available options?
>>
>> Thank you in advance,
>> Jafar
>>
>> On 11/9/2017 2:29 PM, Noel Kuntze wrote:
>>> Use the power of documentation (man pages).
>>>
>>> On 09.11.2017 21:22, Jafar Al-Gharaibeh wrote:
>>>> Hi,
>>>>
>>>>     I am compiling  StrongSwan with these options:
>>>>
>>>> --enable-openssl    #enables the OpenSSL crypto plugin.
>>>> #--enable-rdrand      # don't enable Intel RDRAND random generator plugin.
>>>> --disable-random    #disable RNG implementation on top of /dev/(u)random.
>>>>
>>>> Looking through the code, OpenSSL plugin itself provides an RNG plugin so I thought the above configuration
>>>> will make sure I'm using the OpenSSL RNG.  Is my assumption correct?
>>>>
>>>> what if I enable rdrand above does that  become  the default for all random numbers used by strongswan ignoring OpenSSL's RNG?
>>>>
>>>> Does enabling those other RNG plugins have any effect on OpenSSL itself? I.e is there  a way to set OpenSSL's RNG directly from Strongswan?
>>>>
>>>> For OpenSSL (and other plugins), where do I find a list of all supported configuration options? for example I found the following example on strongswan website, what other  options I can set/unset there?
>>>>
>>>> charon {
>>>>       load_modular = yes
>>>>           interfaces_use = eth0
>>>>       plugins {
>>>>                   openssl {
>>>>                        fips_mode = 0
>>>>                   }
>>>>           include strongswan.d/charon/*.conf
>>>>       }
>>>> }
>>>>
>>>>
>>>>
>>>> Many Thanks,
>>>> Jafar

More information about the Users mailing list