[strongSwan] RFC 4325 support - Authority Information Access CRL Extension

[Andreas Steffen]

Hello Mugur,

have a look at my inline comment.

Regards

Andreas

On 14.12.2011 15:24, ABULIUS, MUGUR (MUGUR) wrote:
> Hello Martin,
> 
>> No, we currently don't support the Authority Information Access
>> extension in CRLs.
> 
> Thank you for answer.
> 
> 1. Which is the behavior of strongSwan when it receives a X.509
> certificate with an AIA extension? The  extension is ignored or there
> is some specific processing?
>
Here is the code which processes the AIA extension:

http://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/src/libstrongswan/plugins/x509/x509_cert.c#L603

As you can see we currently extract OCSP URIs only.

> 2. We are looking for a way to validate CRLs signed with different
> keys (possibly by different CAs) as certificates referencing these
> CRLs. For this scenario the local system has, by some other means,
> the X.509 certificate of signing CA for CRL. How these X.509
> certificates should be specified to strongSwan (via which options
> or/and using which directories) to validate the CRL ?
>
Currently the only alternative to extracting http or ldap CDPs from
end entitcy certificates is to define additional CDPs in ipsec.conf
in a special ca section.

> 
> Regards Mugur

Regards

Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111214/290fafd1/attachment.bin>