[strongSwan] RFC 4325 support - Authority Information Access CRL Extension
andreas.steffen at strongswan.org
Wed Dec 14 21:07:23 CET 2011
have a look at my inline comment.
On 14.12.2011 15:24, ABULIUS, MUGUR (MUGUR) wrote:
> Hello Martin,
>> No, we currently don't support the Authority Information Access
>> extension in CRLs.
> Thank you for answer.
> 1. Which is the behavior of strongSwan when it receives a X.509
> certificate with an AIA extension? The extension is ignored or there
> is some specific processing?
Here is the code which processes the AIA extension:
As you can see we currently extract OCSP URIs only.
> 2. We are looking for a way to validate CRLs signed with different
> keys (possibly by different CAs) as certificates referencing these
> CRLs. For this scenario the local system has, by some other means,
> the X.509 certificate of signing CA for CRL. How these X.509
> certificates should be specified to strongSwan (via which options
> or/and using which directories) to validate the CRL ?
Currently the only alternative to extracting http or ldap CDPs from
end entitcy certificates is to define additional CDPs in ipsec.conf
in a special ca section.
> Regards Mugur
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
More information about the Users