[strongSwan] OCSP update dime

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Nov 6 23:12:56 CET 2019


Answers and question as follows:

Q: (A.M.) ? are the methods of fetch: CPD and x509 CRL directory
A: CRL in ipsec.d/crls or fetched dynamically using configured (in ipsec.conf ca section or swanctl authority section) CRL URIs or CRL URI encoded in CA certificate

Q: (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL
A: Yes.

Am 06.11.19 um 22:46 schrieb Modster, Anthony:
> Thanks
> See below (A.M.)
> 
> -----Original Message-----
> From: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> 
> Sent: Wednesday, November 06, 2019 1:35 PM
> To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
> Subject: Re: [strongSwan] OCSP update dime
> 
> Hello Anthony,
> 
> The exact paragraph is
>> the strongSwan IKE daemon will not try to fetch a fresh CRL before the nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints more quickly then you > must either dramatically reduce the lifetime of a CRL e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) which will give you realtime information > on the certificate status.
> 
> The paragraph gives you the following information:
> 1) strongSwan will only fetch a new CRL when the nextUpdate time has passed (does not pertain OCSP)
> (A.M.) ? are the methods of fetch: CPD and x509 CRL directory
> 
> 2) If you need to get new information about revocations sooner than the nextUpdate time, then either decrease the nextUpdate time in the next CRL file you issue or use OCSP (Online Certificate Status Protocol) instead. OCSP works via a HTTP request asking the OCSP responder if a given certificate (identified by its hash) is valid at the current time or not.
> 
> (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL
> 
> Kind regards
> 
> Noel
> 
> Am 06.11.19 um 22:31 schrieb Modster, Anthony:
>> Hello
>> ? then what is Andreas referencing, below is the issue reported
>> https://wiki.strongswan.org/issues/568 
>>
>> Hi Jim,
>>
>> the strongSwan IKE daemon will not try to fetch a fresh CRL before the nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints more quickly then you must either dramatically reduce the lifetime of a CRL e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) which will give you realtime information on the certificate status.
>>
>> Andreas
>>
>> -----Original Message-----
>> From: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> 
>> Sent: Wednesday, November 06, 2019 1:27 PM
>> To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
>> Subject: Re: [strongSwan] OCSP update dime
>>
>> Hello,
>>
>> The request doesn't really make sense.
>> There's no OCSP nextUpdate time, that's part of a CRL.
>>
>> Kind regards
>>
>> Noel
>>
>> Am 06.11.19 um 00:03 schrieb Modster, Anthony:
>>> Hello
>>>
>>>  
>>>
>>> ? what is the nextUpdate time
>>>
>>> ? is it configurable
>>>
>>>  
>>>
>>> https://wiki.strongswan.org/issues/568
>>>
>>>  
>>>
>>> Thanks
>>>
>>>  
>>>
>>
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191106/a96b487f/attachment.sig>


More information about the Users mailing list