>> >> Which plugins can I get rid of when openssl is being used ? >> > if you enable openssl then you can get rid of the following plugins: > > aes des sha1 sha2 md5 gmp > > you still need hmac (always), pubkey and x509 (with rsa signatures) > and xcbc (with aes-xcbc authentication). >
Thanks for that, Andreas. By adding the following configure flags --disable-des \ --disable-md5 \ --disable-sha2 \ --disable-gmp \ --disable-xcbc \ --disable-pluto \ --disable-tools \ --enable-openssl \ --disable-static \ I've managed to shrink the installed strongSwan footprint by 50%. Even though I'm no longer building the gmp plugin, I notice that the eap-aka plugin still requires the gmp library ... >> I tried adding openssl to the list of plugins in strongswan.conf and >> removing the following: >> >> aes des sha1 sha2 md5 gmp xcbc fips-prf >> >> However, with these removed, the tunnel does not come up. A little >> experimentation shows that I have to add fips-prf (okay, I can >> understand this one) and sha1 back in. >> >> Why do I need to add sha1 back in ? >> > shouldn't be required, see the following openssl scenario: > > http://www.strongswan.org/uml/testresults43/openssl/rw-cert/moon.strongswan.conf > Sadly, if I remove the sha1 plugin from strongswan.conf, the tunnel refuses to come up. I'll leave this for now and investigate later ... Thanks for the help, Graham. _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users