[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] User openssl's PUBKEY_VERIFY instead of gmp's for CVE-2017-11185
From: karthik kumar <kumarkarthikn () gmail ! com>
Date: 2017-08-22 8:15:52
Message-ID: CAK+ZqRp8Dbi96jpJaCbHE3+UAoaF00y-GiUOgYMr_MDRNWxYUA () mail ! gmail ! com
[Download RAW message or body]
Hi Tobias,
Thanks for the answer. So it looks like for us, by default, openssl
plugin does all the job (overriding gmp) which means almost invulnerable (
*almost* because rare case of openssl can't verify signature and so gmp
takes over) of CVE-2017-11185. woohooo !!!
Regards
On Tue, Aug 22, 2017 at 12:37 PM, Tobias Brunner <tobias@strongswan.org>
wrote:
> Hi Karthik,
>
> > * I have increased the priory of gmp plugin, but openssl is loaded at
> > the last. I am thinking whichever is loaded last will override ?
>
> It's the other way around: The first implementation registered will be
> used. Unless it fails to load the key, then the next registered
> implementation will be considered. The latter could also happen if you
> load a private key without specific type and don't have the pkcs1 plugin
> loaded, only the openssl plugin can load such keys directly, the others
> need the pkcs1 plugin to detect the type (or even to pre-parse the key).
>
> > * when both plugins have priority = 1 (load = yes) openssl is loaded
> > first and then gmp.
>
> That's due to the default plugin list (built by the configure script),
> which is used to order the plugins if they have the same priority.
>
> Regards,
> Tobias
>
[Attachment #3 (text/html)]
<div dir="ltr">Hi Tobias, <div> Thanks for the answer. So it looks like for us, \
by default, openssl plugin does all the job (overriding gmp) which means almost \
invulnerable (<i>almost</i> because rare case of openssl can't verify signature \
and so gmp takes over) of CVE-2017-11185. woohooo \
!!!</div><div><br></div><div><br></div><div>Regards</div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 22, 2017 at 12:37 PM, \
Tobias Brunner <span dir="ltr"><<a href="mailto:tobias@strongswan.org" \
target="_blank">tobias@strongswan.org</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Hi Karthik,<br> <span class=""><br>
> * I have increased the priory of gmp plugin, but openssl is loaded at<br>
> the last. I am thinking whichever is loaded last will override ?<br>
<br>
</span>It's the other way around: The first implementation registered will \
be<br> used. Unless it fails to load the key, then the next registered<br>
implementation will be considered. The latter could also happen if you<br>
load a private key without specific type and don't have the pkcs1 plugin<br>
loaded, only the openssl plugin can load such keys directly, the others<br>
need the pkcs1 plugin to detect the type (or even to pre-parse the key).<br>
<span class=""><br>
> * when both plugins have priority = 1 (load = yes) openssl is loaded<br>
> first and then gmp.<br>
<br>
</span>That's due to the default plugin list (built by the configure script),<br>
which is used to order the plugins if they have the same priority.<br>
<br>
Regards,<br>
Tobias<br>
</blockquote></div><br></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic