Project

General

Profile

Actions

Feature #13902

open

Add configuration option to IPsec VPN section to allow strongSwan to use RSA-PSS signatures

Added by Kev Kitchens about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

When an IKEv2 client indicates support for RFC 7427 digital signature authentication to a strongSwan server configured with an RSA certificate, strongSwan will use the PKCS#1 v1.5 scheme to generate it's authentication signature. Since v5.6.1, strongSwan has also supported generating and validating signatures using the newer, more secure RSA-PSS scheme. For compatibility, this is disabled by default. RSA-PSS can be enabled in strongSwan using both globals flags or on a per-connection basis. It would be nice to have an option in pfSense to enable RSA-PSS to increase security for compatible VPN clients. I was able to verify this works by editing the strongswan.conf file to enable RSA-PSS manually then initiating a VPN connection from a compatible client.

No data to display

Actions

Also available in: Atom PDF