Hi Christian, > Do I have to enable the openssl support only for creating such > certificates? (Currently on a Debian host with Strongswan 5.0.1) > Or do I also need the openssl support during the key exchange?
During the exchange, you have to create and/or verify signatures using the algorithm of the key in your certificates. So yes, you need the openssl backend to create/verify ECDSA signatures. > How about RSA? There is obviously no need for openssl for building a > certificate with rsa keypairs. So there is an implementation in Strongswam > itself, right? Yes, our default RSA implementation comes with the "gmp" plugin, built using the primitives from the GNU MP Bignum Library. But the OpenSSL backend of course provides its own implementation of RSA, and so does our gcrypt backend. You can also have a look at the output of "ipsec listplugins", which shows the features provided by each plugin. PRIVKEY_SIGN provides signature capabilities for the given signature scheme, PUBKEY_VERIFY the associated verification operation (while the PUBKEY/PRIVKEY provide just loading of encoded keys, and PRIVKEY_GEN generation of keys). Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
