That those are all the options you can set. The first plugin that provides a feature is used. rdrand will only be used as PRNG, if it is loaded earlier than openssl.
If a plugin uses another plugin's PRNG implementation depends on the exact code.
On 09.11.2017 21:42, Jafar Al-Gharaibeh wrote:
> What about?
>
> what if I enable rdrand above does that become the default for all random
> numbers used by strongswan ignoring OpenSSL's RNG?
>
> Does enabling those other RNG plugins have any effect on OpenSSL itself? I.e
> is there a way to set OpenSSL's RNG directly from Strongswan?
>
>
>
> On 11/9/2017 2:39 PM, Noel Kuntze wrote:
>> Correct.
>>
>> On 09.11.2017 21:38, Jafar Al-Gharaibeh wrote:
>>> Noel,
>>>
>>> Thank you for the quick response. I did search through the documentation
>>> and also the source code, but didn't find definitive answers to my
>>> questions. Do you have some pointers?
>>>
>>> I did see this in the man page which addresses my last question:
>>>
>>> charon.plugins.openssl.engine_id [pkcs11]
>>> ENGINE ID to use in the OpenSSL plugin.
>>>
>>> charon.plugins.openssl.fips_mode [0]
>>> Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B
>>> enabled(2).
>>>
>>>
>>> So, are these the only available options?
>>>
>>> Thank you in advance,
>>> Jafar
>>>
>>> On 11/9/2017 2:29 PM, Noel Kuntze wrote:
>>>> Use the power of documentation (man pages).
>>>>
>>>> On 09.11.2017 21:22, Jafar Al-Gharaibeh wrote:
>>>>> Hi,
>>>>>
>>>>> I am compiling StrongSwan with these options:
>>>>>
>>>>> --enable-openssl #enables the OpenSSL crypto plugin.
>>>>> #--enable-rdrand # don't enable Intel RDRAND random generator plugin.
>>>>> --disable-random #disable RNG implementation on top of /dev/(u)random.
>>>>>
>>>>> Looking through the code, OpenSSL plugin itself provides an RNG plugin so
>>>>> I thought the above configuration
>>>>> will make sure I'm using the OpenSSL RNG. Is my assumption correct?
>>>>>
>>>>> what if I enable rdrand above does that become the default for all
>>>>> random numbers used by strongswan ignoring OpenSSL's RNG?
>>>>>
>>>>> Does enabling those other RNG plugins have any effect on OpenSSL itself?
>>>>> I.e is there a way to set OpenSSL's RNG directly from Strongswan?
>>>>>
>>>>> For OpenSSL (and other plugins), where do I find a list of all supported
>>>>> configuration options? for example I found the following example on
>>>>> strongswan website, what other options I can set/unset there?
>>>>>
>>>>> charon {
>>>>> load_modular = yes
>>>>> interfaces_use = eth0
>>>>> plugins {
>>>>> openssl {
>>>>> fips_mode = 0
>>>>> }
>>>>> include strongswan.d/charon/*.conf
>>>>> }
>>>>> }
>>>>>
>>>>>
>>>>>
>>>>> Many Thanks,
>>>>> Jafar
>
signature.asc
Description: OpenPGP digital signature
