[strongSwan] RFC 4325 support - Authority Information Access CRL Extension

ABULIUS, MUGUR (MUGUR) mugur.abulius at alcatel-lucent.com
Thu Jan 5 08:19:32 CET 2012

Hi Andreas,

Happy New Year to all at the strongSwan team!

Sorry to ask again. I am confused about the sentence:

> the only alternative to extracting http CDPs from end entity certificates
> is to define additional CDPs in ipsec.conf in a special ca section

Is this sentence true only in relation with AIA extension (RFC 4325), or
it is a general strongSwsan statement for retrieving CRLs?

Assuming that a X.509 certificate has a CDP extension but ***NOT*** an AIA
extension, do you mean that strongSwan can't retrieve the CRL unless the CDP
is (also) specified in ipsec.conf (it is already specified inside X.509

In any case, and regardless the answer to previous question, we need to
address the validation of retrieved CRL that was signed by a specific CA
(CA1). My assumption is that strongSwan needs to be commissioned with the
certificate of CA1 in order to be able to validate the CRL. 

So the question: By which ipsec.conf option should be specified and in
which directory should be present the certificate of CA1 to be used by
strongSwan for CRL validation.

Thank you

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: mercredi 14 décembre 2011 21:07
Cc: Martin Willi; SCARAZZINI, FABRICE (FABRICE); Pisano, Stephen G (Stephen); users at lists.strongswan.org; WASNIEWSKI, ALAIN (ALAIN)
Subject: Re: [strongSwan] RFC 4325 support - Authority Information Access CRL Extension

Hello Mugur,

have a look at my inline comment.



On 14.12.2011 15:24, ABULIUS, MUGUR (MUGUR) wrote:
> Hello Martin,
>> No, we currently don't support the Authority Information Access 
>> extension in CRLs.
> Thank you for answer.
> 1. Which is the behavior of strongSwan when it receives a X.509 
> certificate with an AIA extension? The  extension is ignored or there 
> is some specific processing?
Here is the code which processes the AIA extension:


As you can see we currently extract OCSP URIs only.

> 2. We are looking for a way to validate CRLs signed with different 
> keys (possibly by different CAs) as certificates referencing these 
> CRLs. For this scenario the local system has, by some other means, the 
> X.509 certificate of signing CA for CRL. How these X.509 certificates 
> should be specified to strongSwan (via which options or/and using 
> which directories) to validate the CRL ?
Currently the only alternative to extracting http or ldap CDPs from end entitcy certificates is to define additional CDPs in ipsec.conf in a special ca section.

> Regards Mugur



Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==

More information about the Users mailing list