? were are the configuration parameters for OCSP Note: we are using swanctl (VICI)
-----Original Message----- From: Noel Kuntze <[email protected]> Sent: Wednesday, November 06, 2019 2:13 PM To: Modster, Anthony <[email protected]>; [email protected] Subject: Re: [strongSwan] OCSP update dime Answers and question as follows: Q: (A.M.) ? are the methods of fetch: CPD and x509 CRL directory A: CRL in ipsec.d/crls or fetched dynamically using configured (in ipsec.conf ca section or swanctl authority section) CRL URIs or CRL URI encoded in CA certificate Q: (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL A: Yes. Am 06.11.19 um 22:46 schrieb Modster, Anthony: > Thanks > See below (A.M.) > > -----Original Message----- > From: Noel Kuntze <[email protected]> > Sent: Wednesday, November 06, 2019 1:35 PM > To: Modster, Anthony <[email protected]>; > [email protected] > Subject: Re: [strongSwan] OCSP update dime > > Hello Anthony, > > The exact paragraph is >> the strongSwan IKE daemon will not try to fetch a fresh CRL before the >> nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints >> more quickly then you > must either dramatically reduce the lifetime of a >> CRL e.g. down to an hour or use the Online Certificate Status Protocol >> (OCSP) which will give you realtime information > on the certificate status. > > The paragraph gives you the following information: > 1) strongSwan will only fetch a new CRL when the nextUpdate time has passed > (does not pertain OCSP) > (A.M.) ? are the methods of fetch: CPD and x509 CRL directory > > 2) If you need to get new information about revocations sooner than the > nextUpdate time, then either decrease the nextUpdate time in the next CRL > file you issue or use OCSP (Online Certificate Status Protocol) instead. OCSP > works via a HTTP request asking the OCSP responder if a given certificate > (identified by its hash) is valid at the current time or not. > > (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL > > Kind regards > > Noel > > Am 06.11.19 um 22:31 schrieb Modster, Anthony: >> Hello >> ? then what is Andreas referencing, below is the issue reported >> https://wiki.strongswan.org/issues/568 >> >> Hi Jim, >> >> the strongSwan IKE daemon will not try to fetch a fresh CRL before the >> nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints >> more quickly then you must either dramatically reduce the lifetime of a CRL >> e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) >> which will give you realtime information on the certificate status. >> >> Andreas >> >> -----Original Message----- >> From: Noel Kuntze <[email protected]> >> Sent: Wednesday, November 06, 2019 1:27 PM >> To: Modster, Anthony <[email protected]>; >> [email protected] >> Subject: Re: [strongSwan] OCSP update dime >> >> Hello, >> >> The request doesn't really make sense. >> There's no OCSP nextUpdate time, that's part of a CRL. >> >> Kind regards >> >> Noel >> >> Am 06.11.19 um 00:03 schrieb Modster, Anthony: >>> Hello >>> >>> >>> >>> ? what is the nextUpdate time >>> >>> ? is it configurable >>> >>> >>> >>> https://wiki.strongswan.org/issues/568 >>> >>> >>> >>> Thanks >>> >>> >>> >> >
