Hi Martin,
I build the OpenSSL 1.0.0 with ECDH support and
strongswan(5.0.4) with –enable-openssl and –enable-load-tester plugin support.
I installed both the packages in Wind River
Linux. However still strongwan complains
that configured DH group ECP_224 not supported.
00[CFG] loaded IKE
secret for @srv.strongswan.org %any
00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl
fips-prf gmp xcbc cmac hmac attr load-tester kernel-netlink resolve
socket-default stroke updown xauth-generic
00[JOB] spawning 64 worker threads10[IKE] <load-test|1> initiating IKE_SA
load-test[1] to
30.30.30.21
10[IKE] <load-test|1> configured DH group ECP_224 not
supported
The #openssl ciphers -v 'ECDH' gives the below output, which
implies that, openssl has been compiled with ECDH support.
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA
Enc=AES(256) Mac=SHA1AECDH-AES256-SHA SSLv3 Kx=ECDH Au=None
Enc=AES(256) Mac=SHA1
ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1
ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None
Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH
Enc=3DES(168) Mac=SHA1
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA
Enc=AES(128) Mac=SHA1
AECDH-AES128-SHA SSLv3 Kx=ECDH Au=None
Enc=AES(128) Mac=SHA1
ECDH-RSA-AES128-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA1
ECDH-ECDSA-AES128-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA1
ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA
Enc=RC4(128) Mac=SHA1
AECDH-RC4-SHA SSLv3 Kx=ECDH Au=None
Enc=RC4(128) Mac=SHA1
ECDH-RSA-RC4-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128) Mac=SHA1
ECDH-ECDSA-RC4-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)
Mac=SHA1ECDHE-RSA-NULL-SHA SSLv3 Kx=ECDH Au=RSA Enc=None Mac=SHA1
ECDHE-ECDSA-NULL-SHA SSLv3 Kx=ECDH Au=ECDSA
Enc=None Mac=SHA1
AECDH-NULL-SHA SSLv3 Kx=ECDH Au=None
Enc=None Mac=SHA1
ECDH-RSA-NULL-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=None
Mac=SHA1ECDH-ECDSA-NULL-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=None
Mac=SHA1
root@:/root> ls -l /usr/local/ssl/
total 12drwxr-xr-x 2 root root 0 Jan 1 00:15 bin
drwxr-xr-x 2 root root 0 Jan 1 00:15 certs
drwxr-xr-x 3 root root 0 Jan 1 00:15 include
drwxr-xr-x 4 root root 0 Jan 1 00:15 lib
drwxr-xr-x 6 root root 0 Jan 1 00:15 man
drwxr-xr-x 2 root root 0 Jan 1 00:15 misc
-rw-r--r-- 1 root root 10819 Jan 1 00:15 openssl.cnf
drwxr-xr-x 2 root root 0 Jan 1 00:15 private
root@benu_seFP:/root> ls -l /usr/local/ssl/lib/
total 5308
drwxr-xr-x 2 root root 0 Jan 1 00:15 engines
-rw-r--r-- 1 root root 4698918 Jan 1 00:15 libcrypto.a
-rw-r--r-- 1 root root 731508 Jan 1 00:15 libssl.a
drwxr-xr-x 2 root root 0 Jan 1 00:15 pkgconfig
root@:/root>
Can you please suggest what might be the issue behind this
error? Thanks in advance for your support.
Regards,
Chinmaya
On Friday, January 17, 2014 3:51 PM, Martin Willi <[email protected]> wrote:
Hi,
> Similarly checked the SSL ciphers supported via OpenSSL> ciphers
> command but did not find the elliptic curve Diffie-Hellman group. I am
> using the Fedora Linux (2.6.33.3-85.fc13.i686) and the version of
> OpenSSL is 1.0.0d-fips 8 Feb 2011 .
Most likely your Fedora OpenSSL comes without Elliptic Curve support.
You'll have to build OpenSSL yourself, or look for third party packages
providing OpenSSL with EC enabled.
Regards
Martin
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
