Add configuration option to IPsec VPN section to allow strongSwan to use RSA-PSS signatures
When an IKEv2 client indicates support for RFC 7427 digital signature authentication to a strongSwan server configured with an RSA certificate, strongSwan will use the PKCS#1 v1.5 scheme to generate it's authentication signature. Since v5.6.1, strongSwan has also supported generating and validating signatures using the newer, more secure RSA-PSS scheme. For compatibility, this is disabled by default. RSA-PSS can be enabled in strongSwan using both globals flags or on a per-connection basis. It would be nice to have an option in pfSense to enable RSA-PSS to increase security for compatible VPN clients. I was able to verify this works by editing the strongswan.conf file to enable RSA-PSS manually then initiating a VPN connection from a compatible client.
No data to display