[Swan] Info on DSA and ECDSA support
Wewegama, Kavinda
Kavinda.Wewegama at forcepoint.com
Tue Mar 24 00:23:28 UTC 2020
I have used ECDSA successfully with X.509 certificates *without* FIPS mode enabled. There are issues, however, when FIPS mode is enabled: https://github.com/libreswan/libreswan/issues/318
-Kavinda
-----Original Message-----
From: Swan <swan-bounces at lists.libreswan.org> On Behalf Of Andrew Cagney
Sent: Monday, March 16, 2020 1:36 PM
To: Paul Wouters <paul at nohats.ca>
Cc: Cesar Pereida <cesar.pereida at gmail.com>; swan at lists.libreswan.org
Subject: EXTERNAL: Re: [Swan] Info on DSA and ECDSA support
Is there a test? Big chunks of the RSA vs ECDSA code were merged - so it would help us know where things fall short.
On Mon, 16 Mar 2020 at 13:50, Paul Wouters <paul at nohats.ca> wrote:
>
> On Mon, 16 Mar 2020, Cesar Pereida wrote:
>
> > Hey Libreswan folks,
> > What is the current status on supporting DSA and ECDSA during authentication?
> > In case they are supported, could you point me to simple commands to generate keys and configuration files using them?
>
> ECDSA is supported for the IKE authentication using authby=ecdsa and
> for certificate signatures. For generation of ECDSA cerrtificates, see
> the various tutorials for openssl or nss/certutil. You can find some
> examples we use for testing at:
>
> https://github.com/libreswan/libreswan/tree/master/testing/x509
>
> raw keys (eg public keys without certificates) do not yet support ECDSA.
>
> I'm not sure what you mean with "DSA", as the term is confusing. NIST
> uses this term for "Digital Signature Authentication".
>
> Paul
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
Swan at lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list