Page 1 of 1
Suite-B profile and ECDSA-384 support
Posted: Sun Mar 17, 2013 7:52 am
by KobiBeifus
Hi,
Does OpenVPN compliance to the Suite-B profile of IPSec with supplying the FIPS-140-2 Level 1 validated AES-256 GCM cipher?
Does OpenVPN support ECDSA-384 auth?
If not, how can I add this support?
Thanks,
Kobi
Re: Suite-B profile and ECDSA-384 support
Posted: Sun Mar 17, 2013 8:23 am
by mwandelaar
OpenVPN relies on the crypto of the underlying SSL/TLS-library.
This way there are serveral development-models available, based on the SSL-library of choise.
The dutch government choose to support OpenVPN, based on PolarSSL and their choosen crypto-suites.
You can check which crypto- and authentication-models are available by using:
and
As far as i can see, openssl does support this since June 27, 2012. So you you add the patches or the correct compile-options when building openssl and then build openvpn against your openssl-build, openvpn will support the FIPS140-2 criteria.
Re: Suite-B profile and ECDSA-384 support
Posted: Sun Mar 17, 2013 8:27 am
by KobiBeifus
Thanks for your reply.
Does openVPN support PKCS #11 interface for smart card?
Re: Suite-B profile and ECDSA-384 support
Posted: Sun Mar 17, 2013 2:37 pm
by mwandelaar
It sure does.
Again, this is handled through the SSL-library and i used the tokens from
gooze.eu
Not my own findings but i bought and followed
the awesome book from Jan Just Keijser called OpenVPN 2 CookBook.
You have to do some tinkering with it because the tokens i used aren't Aladdin eTokens but you will find out.
OpenSSL default supports quite a lot of PKCS#11 and PKCS#15 devices via the "engine" option. Preloading the driver and using the pointer to the hardware instead of the filename for the private key will do the trick.