[strongSwan] RFC 4325 support - Authority Information Access CRL Extension

Andreas Steffen andreas.steffen at strongswan.org
Wed Dec 14 21:07:23 CET 2011

Hello Mugur,

have a look at my inline comment.



On 14.12.2011 15:24, ABULIUS, MUGUR (MUGUR) wrote:
> Hello Martin,
>> No, we currently don't support the Authority Information Access
>> extension in CRLs.
> Thank you for answer.
> 1. Which is the behavior of strongSwan when it receives a X.509
> certificate with an AIA extension? The  extension is ignored or there
> is some specific processing?
Here is the code which processes the AIA extension:


As you can see we currently extract OCSP URIs only.

> 2. We are looking for a way to validate CRLs signed with different
> keys (possibly by different CAs) as certificates referencing these
> CRLs. For this scenario the local system has, by some other means,
> the X.509 certificate of signing CA for CRL. How these X.509
> certificates should be specified to strongSwan (via which options
> or/and using which directories) to validate the CRL ?
Currently the only alternative to extracting http or ldap CDPs from
end entitcy certificates is to define additional CDPs in ipsec.conf
in a special ca section.

> Regards Mugur



Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111214/290fafd1/attachment.bin>

More information about the Users mailing list