[strongSwan] OCSP update dime

Modster, Anthony Anthony.Modster at Teledyne.com
Thu Nov 7 01:03:04 CET 2019


OK, good luck

-----Original Message-----
From: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> 
Sent: Wednesday, November 06, 2019 3:50 PM
To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] OCSP update dime

I think it takes all of them and tries them in order or something, I'd need to look at the code.

Am 07.11.19 um 00:11 schrieb Modster, Anthony:
> Hello Noel
> 
> If the URLs are not set, ? will strongswan read them from the User Cert
> swanctl: authorities.<name>.ocsp_uris “comma-separated list of OCSP URL’s”
> 
> ? would it be the same for CPD
> 
> -----Original Message-----
> From: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> 
> Sent: Wednesday, November 06, 2019 2:52 PM
> To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
> Subject: Re: [strongSwan] OCSP update dime
> 
> Check the man page for swanctl.conf on the system running strongSwan. Search for authorities or scroll to the bottom of the page.
> The possibility to configure CRL and OCSP URIs was added in 5.3.3.
> 
> Kind regards
> 
> Noel
> 
> Am 06.11.19 um 23:16 schrieb Modster, Anthony:
>> ? were are the configuration parameters for OCSP
>> Note: we are using swanctl (VICI)
>>
>>
>> -----Original Message-----
>> From: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> 
>> Sent: Wednesday, November 06, 2019 2:13 PM
>> To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
>> Subject: Re: [strongSwan] OCSP update dime
>>
>> Answers and question as follows:
>>
>> Q: (A.M.) ? are the methods of fetch: CPD and x509 CRL directory
>> A: CRL in ipsec.d/crls or fetched dynamically using configured (in ipsec.conf ca section or swanctl authority section) CRL URIs or CRL URI encoded in CA certificate
>>
>> Q: (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL
>> A: Yes.
>>
>> Am 06.11.19 um 22:46 schrieb Modster, Anthony:
>>> Thanks
>>> See below (A.M.)
>>>
>>> -----Original Message-----
>>> From: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> 
>>> Sent: Wednesday, November 06, 2019 1:35 PM
>>> To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
>>> Subject: Re: [strongSwan] OCSP update dime
>>>
>>> Hello Anthony,
>>>
>>> The exact paragraph is
>>>> the strongSwan IKE daemon will not try to fetch a fresh CRL before the nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints more quickly then you > must either dramatically reduce the lifetime of a CRL e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) which will give you realtime information > on the certificate status.
>>>
>>> The paragraph gives you the following information:
>>> 1) strongSwan will only fetch a new CRL when the nextUpdate time has passed (does not pertain OCSP)
>>> (A.M.) ? are the methods of fetch: CPD and x509 CRL directory
>>>
>>> 2) If you need to get new information about revocations sooner than the nextUpdate time, then either decrease the nextUpdate time in the next CRL file you issue or use OCSP (Online Certificate Status Protocol) instead. OCSP works via a HTTP request asking the OCSP responder if a given certificate (identified by its hash) is valid at the current time or not.
>>>
>>> (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> Am 06.11.19 um 22:31 schrieb Modster, Anthony:
>>>> Hello
>>>> ? then what is Andreas referencing, below is the issue reported
>>>> https://wiki.strongswan.org/issues/568 
>>>>
>>>> Hi Jim,
>>>>
>>>> the strongSwan IKE daemon will not try to fetch a fresh CRL before the nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints more quickly then you must either dramatically reduce the lifetime of a CRL e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) which will give you realtime information on the certificate status.
>>>>
>>>> Andreas
>>>>
>>>> -----Original Message-----
>>>> From: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> 
>>>> Sent: Wednesday, November 06, 2019 1:27 PM
>>>> To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
>>>> Subject: Re: [strongSwan] OCSP update dime
>>>>
>>>> Hello,
>>>>
>>>> The request doesn't really make sense.
>>>> There's no OCSP nextUpdate time, that's part of a CRL.
>>>>
>>>> Kind regards
>>>>
>>>> Noel
>>>>
>>>> Am 06.11.19 um 00:03 schrieb Modster, Anthony:
>>>>> Hello
>>>>>
>>>>>  
>>>>>
>>>>> ? what is the nextUpdate time
>>>>>
>>>>> ? is it configurable
>>>>>
>>>>>  
>>>>>
>>>>> https://wiki.strongswan.org/issues/568
>>>>>
>>>>>  
>>>>>
>>>>> Thanks
>>>>>
>>>>>  
>>>>>
>>>>
>>>
>>
> 



More information about the Users mailing list