[strongSwan] RNGs and OpenSSL
Jafar Al-Gharaibeh
jafar at atcorp.com
Fri Nov 10 06:53:32 CET 2017
Thanks Noel!,
Going back to the config options, what exactly is engine_id here:
charon.plugins.openssl.engine_id [pkcs11]
ENGINE ID to use in the OpenSSL plugin.
Thanks,
Jafar
On 11/9/2017 2:56 PM, Noel Kuntze wrote:
> That those are all the options you can set.
>
> The first plugin that provides a feature is used. rdrand will only be used as PRNG, if it is loaded earlier than openssl.
>
> If a plugin uses another plugin's PRNG implementation depends on the exact code.
>
> On 09.11.2017 21:42, Jafar Al-Gharaibeh wrote:
>> What about?
>>
>> what if I enable rdrand above does that become the default for all random numbers used by strongswan ignoring OpenSSL's RNG?
>>
>> Does enabling those other RNG plugins have any effect on OpenSSL itself? I.e is there a way to set OpenSSL's RNG directly from Strongswan?
>>
>>
>>
>> On 11/9/2017 2:39 PM, Noel Kuntze wrote:
>>> Correct.
>>>
>>> On 09.11.2017 21:38, Jafar Al-Gharaibeh wrote:
>>>> Noel,
>>>>
>>>> Thank you for the quick response. I did search through the documentation and also the source code, but didn't find definitive answers to my questions. Do you have some pointers?
>>>>
>>>> I did see this in the man page which addresses my last question:
>>>>
>>>> charon.plugins.openssl.engine_id [pkcs11]
>>>> ENGINE ID to use in the OpenSSL plugin.
>>>>
>>>> charon.plugins.openssl.fips_mode [0]
>>>> Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2).
>>>>
>>>>
>>>> So, are these the only available options?
>>>>
>>>> Thank you in advance,
>>>> Jafar
>>>>
>>>> On 11/9/2017 2:29 PM, Noel Kuntze wrote:
>>>>> Use the power of documentation (man pages).
>>>>>
>>>>> On 09.11.2017 21:22, Jafar Al-Gharaibeh wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I am compiling StrongSwan with these options:
>>>>>>
>>>>>> --enable-openssl #enables the OpenSSL crypto plugin.
>>>>>> #--enable-rdrand # don't enable Intel RDRAND random generator plugin.
>>>>>> --disable-random #disable RNG implementation on top of /dev/(u)random.
>>>>>>
>>>>>> Looking through the code, OpenSSL plugin itself provides an RNG plugin so I thought the above configuration
>>>>>> will make sure I'm using the OpenSSL RNG. Is my assumption correct?
>>>>>>
>>>>>> what if I enable rdrand above does that become the default for all random numbers used by strongswan ignoring OpenSSL's RNG?
>>>>>>
>>>>>> Does enabling those other RNG plugins have any effect on OpenSSL itself? I.e is there a way to set OpenSSL's RNG directly from Strongswan?
>>>>>>
>>>>>> For OpenSSL (and other plugins), where do I find a list of all supported configuration options? for example I found the following example on strongswan website, what other options I can set/unset there?
>>>>>>
>>>>>> charon {
>>>>>> load_modular = yes
>>>>>> interfaces_use = eth0
>>>>>> plugins {
>>>>>> openssl {
>>>>>> fips_mode = 0
>>>>>> }
>>>>>> include strongswan.d/charon/*.conf
>>>>>> }
>>>>>> }
>>>>>>
>>>>>>
>>>>>>
>>>>>> Many Thanks,
>>>>>> Jafar
More information about the Users
mailing list