I have used ECDSA successfully with X.509 certificates *without* FIPS mode enabled. There are issues, however, when FIPS mode is enabled: https://github.com/libreswan/libreswan/issues/318
-Kavinda -----Original Message----- From: Swan <[email protected]> On Behalf Of Andrew Cagney Sent: Monday, March 16, 2020 1:36 PM To: Paul Wouters <[email protected]> Cc: Cesar Pereida <[email protected]>; [email protected] Subject: EXTERNAL: Re: [Swan] Info on DSA and ECDSA support Is there a test? Big chunks of the RSA vs ECDSA code were merged - so it would help us know where things fall short. On Mon, 16 Mar 2020 at 13:50, Paul Wouters <[email protected]> wrote: > > On Mon, 16 Mar 2020, Cesar Pereida wrote: > > > Hey Libreswan folks, > > What is the current status on supporting DSA and ECDSA during > > authentication? > > In case they are supported, could you point me to simple commands to > > generate keys and configuration files using them? > > ECDSA is supported for the IKE authentication using authby=ecdsa and > for certificate signatures. For generation of ECDSA cerrtificates, see > the various tutorials for openssl or nss/certutil. You can find some > examples we use for testing at: > > https://github.com/libreswan/libreswan/tree/master/testing/x509 > > raw keys (eg public keys without certificates) do not yet support ECDSA. > > I'm not sure what you mean with "DSA", as the term is confusing. NIST > uses this term for "Digital Signature Authentication". > > Paul > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
