diff --git a/testing/tests/ikev2/ocsp-revoked/description.txt b/testing/tests/ikev2/ocsp-revoked/description.txt index ead076a046..73d0725492 100644 --- a/testing/tests/ikev2/ocsp-revoked/description.txt +++ b/testing/tests/ikev2/ocsp-revoked/description.txt @@ -1,7 +1,7 @@ By setting strictcrlpolicy=yes, a strict CRL policy is enforced on both roadwarrior carol and gateway moon. The online certificate status is checked via the OCSP server winnetou which possesses an OCSP signer certificate -issued by the strongSwan CA. This certificate contains an OCSPSigner +issued by the strongSwan CA. This certificate contains an OCSPSigning extended key usage flag. A strongswan ca section in ipsec.conf defines an OCSP URI pointing to winnetou.

diff --git a/testing/tests/ikev2/ocsp-revoked/evaltest.dat b/testing/tests/ikev2/ocsp-revoked/evaltest.dat index 1d9d760cde..eacb70c404 100644 --- a/testing/tests/ikev2/ocsp-revoked/evaltest.dat +++ b/testing/tests/ikev2/ocsp-revoked/evaltest.dat @@ -1,6 +1,6 @@ -moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES moon::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::certificate was revoked::YES +moon::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES +moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-signer-cert/description.txt b/testing/tests/ikev2/ocsp-signer-cert/description.txt index 300d75a62e..492a9882b0 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/description.txt +++ b/testing/tests/ikev2/ocsp-signer-cert/description.txt @@ -1,7 +1,7 @@ By setting strictcrlpolicy=yes, a strict CRL policy is enforced on both roadwarrior carol and gateway moon. The online certificate status is checked via the OCSP server winnetou which possesses an OCSP signer certificate -issued by the strongSwan CA. This certificate contains an OCSPSigner +issued by the strongSwan CA. This certificate contains an OCSPSigning extended key usage flag. carol's certificate includes an OCSP URI in an authority information access extension pointing to winnetou. Therefore no special ca section information is needed in ipsec.conf. diff --git a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat index ffe9c55155..4a8ffd412c 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat @@ -1,9 +1,11 @@ -moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES -carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES moon::ipsec listcainfos::ocspuris.*http://ocsp.strongswan.org::YES carol::ipsec listcainfos::ocspuris.*http://ocsp.strongswan.org::YES moon::cat /var/log/daemon.log::received valid http response::YES carol::cat /var/log/daemon.log::received valid http response::YES +moon::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES +carol::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES +moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES +carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES moon::cat /var/log/daemon.log::certificate is good::YES carol::cat /var/log/daemon.log::certificate is good::YES moon::ipsec status::rw.*ESTABLISHED::YES