path: root/conf
diff options
authorMartin Willi <martin@strongswan.org>2017-02-22 09:43:31 +0100
committerMartin Willi <martin@strongswan.org>2017-03-02 08:24:02 +0100
commitd1317adb9a45166cdc8f44117a5fa85ecd053552 (patch)
treec8e856c9269fc1f00b8e6122f973f52f20bf8901 /conf
parentda82786b2d8cef68ca6462bf7898a6b19c0b4608 (diff)
addrblock: Support an optional non-strict mode accepting certs without addrblock
This allows a gateway to enforce the addrblock policy on certificates that actually have the extension only. For (legacy) certificates not having the extension, traffic selectors are validated/narrowed by other means, most likely by the configuration.
Diffstat (limited to 'conf')
2 files changed, 9 insertions, 0 deletions
diff --git a/conf/Makefile.am b/conf/Makefile.am
index 80fa31e73..41912c43a 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -28,6 +28,7 @@ options = \
plugins = \
+ plugins/addrblock.opt \
plugins/android_log.opt \
plugins/attr.opt \
plugins/attr-sql.opt \
diff --git a/conf/plugins/addrblock.opt b/conf/plugins/addrblock.opt
new file mode 100644
index 000000000..e35e4c5ad
--- /dev/null
+++ b/conf/plugins/addrblock.opt
@@ -0,0 +1,8 @@
+charon.plugins.addrblock.strict = yes
+ Whether to strictly require addrblock extension in subject certificates.
+ If set to yes, a subject certificate without an addrblock extension is
+ rejected if the issuer certificate has such an addrblock extension. If set
+ to no, subject certificates issued without the addrblock extension are
+ accepted without any traffic selector checks and no policy is enforced
+ by the plugin.