Red Hat is currently not supplying Elliptic Curve Crytography (ECC) in binary packages due to concerns about patents. There are various opinions about this subject and other Linux distributions such as Debian and Ubuntu have included ECC.
For those who want or need ECC (for example, to interoprate with a VPN using X.509 ECDSA certificates or to use ECC-based smartcards) it is necessary to rebuild the Fedora OpenSSL package and related packages such as strongSwan
Here I describe how to make the rebuild using the original sources and Fedora spec file to stay as close to the original Fedora binary as possible. The procedure has been tested on Fedora 19 but can be adapted for other Fedora versions and/or RHEL/Centos/EPEL users.
As root, install the necessary tools and dependencies for building. Remove the old openssl-devel package so it won't cause any problems during build.
rpm -e openssl-devel yum install rpm-build krb5-devel zlib-devel gcc \ gmp-devel libcurl-devel openldap-devel \ NetworkManager-devel NetworkManager-glib-devel sqlite-devel
If you haven't used rpmbuild before, it is necessary to set up a small config file and directory tree for package building. The following commands will do that:
[ ! -e ~/.rpmmacros ] && \ echo '%_topdir %(echo $HOME)/rpmbuild' > ~/.rpmmacros [ ! -d rpmbuild ] && mkdir rpmbuild cd ~/rpmbuild mkdir -p BUILD BUILDROOT RPMS/i386 RPMS/x86_64 SOURCES SPECS SRPMS
Here we download the source packages from Fedora and apply a small patch to enable the ECC algorithms. This code can be cut and pasted into a script:
cd ~/rpmbuild/SRPMS wget http://dl.fedoraproject.org/pub/fedora/linux/releases/19/Everything/source/SRPMS/o/openssl-1.0.1e-4.fc19.src.rpm wget http://dl.fedoraproject.org/pub/fedora/linux/releases/19/Everything/source/SRPMS/s/strongswan-5.0.2-2.fc19.src.rpm rpm -i openssl-1.0.1e-4.fc19.src.rpm rpm -i strongswan-5.0.2-2.fc19.src.rpm cd ../SOURCES wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz cd ../SPECS wget http://zxvdr.fedorapeople.org/openssl.spec.ec_patch # Fedora's SRPM has a modified source, must use the original patch -p0 < openssl.spec.ec_patch sed -i -e 's/-usa.tar.xz/.tar.gz/' openssl.spec rpmbuild -bb openssl.spec
The strongSwan build script will detect the OpenSSL ECDSA functionality and enable the corresponding code in strongSwan. Therefore, it is necessary to install the OpenSSL packages now, before building strongSwan:
cd ~/rpmbuild/RPMS/$(uname -i) rpm -Uvh --force \ openssl-1.0.1e*rpm \ openssl-devel-1.0.1e*rpm \ openssl-libs-1.0.1e*rpm
You can test that ECC is supported now by running the command:
openssl ec -help
If you receive the help text, ECC is supported.
The strongSwan package does not need to be modified or patched in any way. When it builds, it will dynamically detect the ECDSA support in OpenSSL and the strongSwan package will support it too:
cd ~/rpmbuild/SPECS rpmbuild -bb strongswan.spec
Now install the binary packages:
cd ~/rpmbuild/RPMS/$(uname -i) rpm -Uvh --force \ strongswan-5*rpm \ strongswan-tnc-imcvs*rpm
Testing strongSwan is relatively easy, just try creating and viewing an ECDSA key. Note that on Fedora, the strongSwan command utility "ipsec" is actually invoked using the command "strongswan":
cd /tmp strongswan pki -g --type ecdsa --size 384 > myKey.der strongswan pki -a --type ecdsa-priv --in myKey.der private key with: pubkey: ECDSA 384 bits keyid: 66:27:29:e3:b2:e2:1f:81:fd:7b:25:86:59:86:5b:25:8f:84:6d:83 subjkey: 28:50:c3:9e:9c:ad:04:a8:db:72:47:f9:18:37:00:ad:ad:03:9f:bc
If you get this error:
# ipsec pki /sbin/ipsec: unknown IPsec command "pki" ("ipsec --help" for list)
you are incorrectly invoking the command "ipsec". Use the command "strongswan" instead.
If you get this error:
plugin 'pkcs7' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-pkcs7.so: cannot open shared object file: No such file or directory
it means you only installed the strongswan package and you also need to install the package strongswan-tnc-imcvstags: promote