TLS Options

The strongSwan libtls library offers a full Transport Layer Security (TLS) stack implementing TLS version 1.3 and TLS version 1.2. The legacy TLS version 1.1 and TLS version 1.0 are supported, too, but due to security reasons shouldn’t be used anymore.

libtls is used internally by the strongSwan eap-tls, eap-ttls, eap-peap and tnc-ifmap plugins, as well as by the pki --est, pki --estca, and pt-tls-client command line tools.

The options of the TLS stack can be configured in the libtls section of strongswan.conf.

Key Default Description [Default]

Key	Default	Description [Default]
cipher		List of TLS encryption ciphers
key_exchange		List of TLS key exchange methods
ke_group		List of TLS key exchange groups
mac		List of TLS MAC algorithms
signature		List of TLS signature schemes
suites		List of TLS cipher suites
send_certreq_authorities	`yes`	Whether to include CAs in a server’s `CertificateRequest` message. May be disabled if clients can’t handle a long list of CAs
version_min	`1.2`	Minimum TLS version to negotiate
version_max	`1.2`	Maximum TLS version to negotiate

cipher

List of TLS encryption ciphers

key_exchange

List of TLS key exchange methods

ke_group

List of TLS key exchange groups

mac

List of TLS MAC algorithms

signature

List of TLS signature schemes

suites

List of TLS cipher suites

send_certreq_authorities

yes

Whether to include CAs in a server’s CertificateRequest message. May be disabled if clients can’t handle a long list of CAs

version_min

1.2

Minimum TLS version to negotiate

version_max

1.2

Maximum TLS version to negotiate

There is usually no cipher suite configuration required, the TLS stack enables all secure algorithms that it has registered crypto backends for. Depending on the plugin configuration, the TLS stack supports the following cipher suites:

Cipher suites supported since version 5.9.2

Details

TLS 1.3

TLS_AES_256_GCM_SHA384,
TLS_AES_128_GCM_SHA256,
TLS_CHACHA20_POLY1305_SHA256,
TLS_AES_128_CCM_SHA256,
TLS_AES_128_CCM_8_SHA256

TLS 1.2 and older

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_NULL_SHA,
TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_RSA_WITH_NULL_SHA256,
TLS_RSA_WITH_NULL_SHA

Cipher suites supported before version 5.9.2

Details

TLS 1.2 and older

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_NULL_SHA,
TLS_ECDHE_RSA_WITH_NULL_SHA,
TLS_RSA_WITH_NULL_SHA,
TLS_RSA_WITH_NULL_SHA256,
TLS_RSA_WITH_NULL_MD5

ECDHE and ECDSA require a third-party crypto backend. Since version 5.9.2, EdDSA may also be used with ECDSA cipher suites. ECDHE support is limited to the named curves SECP256R1, SECP384R1, SECP521R1, SECP224R1 and SECP192R1 with uncompressed points. Since version 5.9.2, Curve25519 and Curve448 are also supported. CAMELLIA encryption requires either the openssl or gcrypt plugin. NULL encryption is automatically disabled if the stack is used for purposes other than EAP-TLS where only the handshake of TLS is used.

There are three strongswan.conf options to limit the cipher suites by algorithms:

libtls {
  key_exchange = ecdhe-ecdsa, ecdhe-rsa, dhe-rsa, rsa
  cipher = aes256gcm, aes128gcm, chacha20poly1305, aes256, aes128, camellia256, camellia128, null
  mac = sha384, sha256, sha1
}

To specify the list of suites directly, use the suites option and a comma- separated list of the cipher suites above:

libtls {
  suites = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
}

Since version 5.9.2 the ECDH groups and signature schemes may be configured with:

libtls {
  ke_group = curve448, curve25519, ecp521, ecp384, ecp256, ecp224, ecp192
  signature = ed448, ed25519, ecdsa_sha521, ecdsa_sha384, ecdsa_sha256, rsa_pss_rsae_sha512, rsa_pss_rsae_sha384, rsa_pss_rsae_sha256, rsa_pkcs1_sha512, rsa_pkcs1_sha384, rsa_pkcs1_sha256
}