Re: [strongSwan] RFC 4325 support - Authority Information Access CRL Extension
On 05.01.2012 08:19, ABULIUS, MUGUR (MUGUR) wrote: Hi Andreas, Happy New Year to all at the strongSwan team! Sorry to ask again. I am confused about the sentence: the only alternative to extracting http CDPs from end entity certificates is to define additional CDPs in ipsec.conf in a special ca section Is this sentence true only in relation with AIA extension (RFC 4325), or it is a general strongSwsan statement for retrieving CRLs? Assuming that a X.509 certificate has a CDP extension but ***NOT*** an AIA extension, do you mean that strongSwan can't retrieve the CRL unless the CDP is (also) specified in ipsec.conf (it is already specified inside X.509 certificate)? No, CDP extensions in certificates are always processed and don't require a ca section in ipsec.conf. AIA extensions can only be used for OCSP URIs and don't require a ca section either. ca sections in ipsec.conf are only used to define additional CDPs and/or OCSP URIs. In any case, and regardless the answer to previous question, we need to address the validation of retrieved CRL that was signed by a specific CA (CA1). My assumption is that strongSwan needs to be commissioned with the certificate of CA1 in order to be able to validate the CRL. Yes So the question: By which ipsec.conf option should be specified and in which directory should be present the certificate of CA1 to be used by strongSwan for CRL validation. The CA certificates to be used for CRL validation must either be stored in /etc/ipsec.d/cacerts or can be defined together with additional CDPs in a ca section in ipsec.conf. Thank you Mugur Regards Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] RFC 4325 support - Authority Information Access CRL Extension
Hi Andreas, Happy New Year to all at the strongSwan team! Sorry to ask again. I am confused about the sentence: the only alternative to extracting http CDPs from end entity certificates is to define additional CDPs in ipsec.conf in a special ca section Is this sentence true only in relation with AIA extension (RFC 4325), or it is a general strongSwsan statement for retrieving CRLs? Assuming that a X.509 certificate has a CDP extension but ***NOT*** an AIA extension, do you mean that strongSwan can't retrieve the CRL unless the CDP is (also) specified in ipsec.conf (it is already specified inside X.509 certificate)? In any case, and regardless the answer to previous question, we need to address the validation of retrieved CRL that was signed by a specific CA (CA1). My assumption is that strongSwan needs to be commissioned with the certificate of CA1 in order to be able to validate the CRL. So the question: By which ipsec.conf option should be specified and in which directory should be present the certificate of CA1 to be used by strongSwan for CRL validation. Thank you Mugur -Original Message- From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] Sent: mercredi 14 décembre 2011 21:07 To: ABULIUS, MUGUR (MUGUR) Cc: Martin Willi; SCARAZZINI, FABRICE (FABRICE); Pisano, Stephen G (Stephen); users@lists.strongswan.org; WASNIEWSKI, ALAIN (ALAIN) Subject: Re: [strongSwan] RFC 4325 support - Authority Information Access CRL Extension Hello Mugur, have a look at my inline comment. Regards Andreas On 14.12.2011 15:24, ABULIUS, MUGUR (MUGUR) wrote: Hello Martin, No, we currently don't support the Authority Information Access extension in CRLs. Thank you for answer. 1. Which is the behavior of strongSwan when it receives a X.509 certificate with an AIA extension? The extension is ignored or there is some specific processing? Here is the code which processes the AIA extension: http://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/src/libstrongswan/plugins/x509/x509_cert.c#L603 As you can see we currently extract OCSP URIs only. 2. We are looking for a way to validate CRLs signed with different keys (possibly by different CAs) as certificates referencing these CRLs. For this scenario the local system has, by some other means, the X.509 certificate of signing CA for CRL. How these X.509 certificates should be specified to strongSwan (via which options or/and using which directories) to validate the CRL ? Currently the only alternative to extracting http or ldap CDPs from end entitcy certificates is to define additional CDPs in ipsec.conf in a special ca section. Regards Mugur Regards Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] RFC 4325 support - Authority Information Access CRL Extension
Hello Andreas, the only alternative to extracting http CDPs from end entitcy certificates is to define additional CDPs in ipsec.conf in a special ca section Thank you. Assuming that the retrieved CRL was signed by CA1, my question is: Does strongSwan expects a X.509 certificate with a subject name CA1 in /etc/ipsec.d/cacerts to check/validate the signature of the CRL? Best Regards Mugur ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] RFC 4325 support - Authority Information Access CRL Extension
Hello Mugur, Does Charon support the Authority Information Access CRL Extension as specified by the RFC 4325? No, we currently don't support the Authority Information Access extension in CRLs. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] RFC 4325 support - Authority Information Access CRL Extension
Hello Martin, No, we currently don't support the Authority Information Access extension in CRLs. Regards Mugur ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] RFC 4325 support - Authority Information Access CRL Extension
Hello Martin, No, we currently don't support the Authority Information Access extension in CRLs. Thank you for answer. 1. Which is the behavior of strongSwan when it receives a X.509 certificate with an AIA extension? The extension is ignored or there is some specific processing? 2. We are looking for a way to validate CRLs signed with different keys (possibly by different CAs) as certificates referencing these CRLs. For this scenario the local system has, by some other means, the X.509 certificate of signing CA for CRL. How these X.509 certificates should be specified to strongSwan (via which options or/and using which directories) to validate the CRL ? Regards Mugur ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] RFC 4325 support - Authority Information Access CRL Extension
Hello Mugur, have a look at my inline comment. Regards Andreas On 14.12.2011 15:24, ABULIUS, MUGUR (MUGUR) wrote: Hello Martin, No, we currently don't support the Authority Information Access extension in CRLs. Thank you for answer. 1. Which is the behavior of strongSwan when it receives a X.509 certificate with an AIA extension? The extension is ignored or there is some specific processing? Here is the code which processes the AIA extension: http://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/src/libstrongswan/plugins/x509/x509_cert.c#L603 As you can see we currently extract OCSP URIs only. 2. We are looking for a way to validate CRLs signed with different keys (possibly by different CAs) as certificates referencing these CRLs. For this scenario the local system has, by some other means, the X.509 certificate of signing CA for CRL. How these X.509 certificates should be specified to strongSwan (via which options or/and using which directories) to validate the CRL ? Currently the only alternative to extracting http or ldap CDPs from end entitcy certificates is to define additional CDPs in ipsec.conf in a special ca section. Regards Mugur Regards Andreas == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users