sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity
strongswan/testing/tests/ikev2/ocsp-rfc4806-both/description.txt
Andreas Steffen 6f8275abab testing: Added RFC4806 tests
2024-03-13 15:11:00 +01:00

16 lines
928 B
Plaintext
Raw Blame History

By setting <b>revocation = strict</b> in swanctl.conf, a <b>strict</b> CRL policy
is enforced on both roadwarrior <b>carol</b> and gateway <b>moon</b>.
<p/>
Based on RFC 4806, both <b>carol</b> and <b>moon</b> send an OCSP request via an
IKEv2 CERTREQ payload to their peer which in turn requests online status information
on its own certificate from the OCSP server <b>winnetou</b> on behalf of the other
peer. The OCSP server <b>winnetou</b> possesses an OCSP signer certificate containing
an <b>OCSPSigning</b> Extended Key Usage (EKU) flag issued by the strongSwan CA.
<p/>
<b>carol</b>'s certificate includes an <b>OCSP URI</b> in an authority information
access extension pointing to <b>winnetou</b>. Therefore no special authorities
section information is needed in carol's swanctl.conf.
<p/>
<b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since
the status of both certificates is <b>good</b>.
Reference in New Issue View Git Blame Copy Permalink