Suite-B profile and ECDSA-384 support

[KobiBeifus]

Hi,

Does OpenVPN compliance to the Suite-B profile of IPSec with supplying the FIPS-140-2 Level 1 validated AES-256 GCM cipher?
Does OpenVPN support ECDSA-384 auth?

If not, how can I add this support?

Thanks,
Kobi

[mwandelaar]

OpenVPN relies on the crypto of the underlying SSL/TLS-library.
This way there are serveral development-models available, based on the SSL-library of choise.
The dutch government choose to support OpenVPN, based on PolarSSL and their choosen crypto-suites.

You can check which crypto- and authentication-models are available by using:

Code: Select all

openvpn --show-tls

and

Code: Select all

openvpn --show-digests

As far as i can see, openssl does support this since June 27, 2012. So you you add the patches or the correct compile-options when building openssl and then build openvpn against your openssl-build, openvpn will support the FIPS140-2 criteria.

[KobiBeifus]

Thanks for your reply.
Does openVPN support PKCS #11 interface for smart card?

[mwandelaar]

It sure does.

Again, this is handled through the SSL-library and i used the tokens from gooze.eu
Not my own findings but i bought and followed the awesome book from Jan Just Keijser called OpenVPN 2 CookBook.
You have to do some tinkering with it because the tokens i used aren't Aladdin eTokens but you will find out.

OpenSSL default supports quite a lot of PKCS#11 and PKCS#15 devices via the "engine" option. Preloading the driver and using the pointer to the hardware instead of the filename for the private key will do the trick.