[strongSwan] EU and EKU

Tobias Brunner tobias at strongswan.org
Wed Jun 5 10:10:06 CEST 2019


Hi Anthony,

> ? does the latest version of strongswan provide better “checking of the
> peer certificate EU and EKU”

I guess you mean KU not EU.  But what exactly do you mean with "better"?

The cRLSign KU bit is used in revocation checking (if a CRL is not
signed by the CA).  And since 5.6.3, in compliance with RFC 4945,
section 5.1.3.2, certificates either must not contain a KU extension
(like the ones generated by pki), or have at least one of the
digitalSignature or nonRepudiation bits set.

The only EKU that's used is OCSPSigning for revocation checking
(analogous to the cRLSign KU).

Regards,
Tobias


More information about the Users mailing list