Hi Dale, > 1. Does strongSwan 4.6.1 comply with NIST SP800-131a?
I haven't read that spec in detail, but it seems that it just defines algorithms and key lengths to use for "acceptable" operation. strongSwan can support many of these algorithms and key lengths, it's just a matter of configuration. Make sure to define the algorithms you require in your connections in the "esp" and "ike" proposal keywords, and append a '!' to disable others (man ipsec.conf for details). If you are using certificates, generate the the keys with appropriate key length and sign the certificates with the required hashing algorithms. So yes, it should be possible to configure strongSwan for NIST SP800-131a compliance (but it is also possible to configure it to violate this spec). > If the answer is no to all three questions, then we will look into using > the OpenSSL or libgcrypt routines with strongSwan. I don't think that the selection of the crypto backend matters, you can use weak algorithms or key lengths with any backend. Regards Martin _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
