Hello Mugur, have a look at my inline comment.
Regards Andreas On 14.12.2011 15:24, ABULIUS, MUGUR (MUGUR) wrote: > Hello Martin, > >> No, we currently don't support the Authority Information Access >> extension in CRLs. > > Thank you for answer. > > 1. Which is the behavior of strongSwan when it receives a X.509 > certificate with an AIA extension? The extension is ignored or there > is some specific processing? > Here is the code which processes the AIA extension: http://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/src/libstrongswan/plugins/x509/x509_cert.c#L603 As you can see we currently extract OCSP URIs only. > 2. We are looking for a way to validate CRLs signed with different > keys (possibly by different CAs) as certificates referencing these > CRLs. For this scenario the local system has, by some other means, > the X.509 certificate of signing CA for CRL. How these X.509 > certificates should be specified to strongSwan (via which options > or/and using which directories) to validate the CRL ? > Currently the only alternative to extracting http or ldap CDPs from end entitcy certificates is to define additional CDPs in ipsec.conf in a special ca section. > > Regards Mugur Regards Andreas ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
