diff options
author | Martin Willi <martin@revosec.ch> | 2014-03-25 14:34:58 +0100 |
---|---|---|
committer | Martin Willi <martin@revosec.ch> | 2014-03-31 14:40:33 +0200 |
commit | 91d71abb16a9b15bbcd7f6cbefb806408be3b92d (patch) | |
tree | 78316a3926aeef1358ad770fee3401fc56af7fa7 /testing/tests/ikev2/ocsp-no-signer-cert | |
parent | a844b6589034ff53e845fb9013d69dac02385453 (diff) | |
download | strongswan-91d71abb16a9b15bbcd7f6cbefb806408be3b92d.tar.bz2 strongswan-91d71abb16a9b15bbcd7f6cbefb806408be3b92d.tar.xz |
revocation: Restrict OCSP signing to specific certificates
To avoid considering each cached OCSP response and evaluating its trustchain,
we limit the certificates considered for OCSP signing to:
- The issuing CA of the checked certificate
- A directly delegated signer by the same CA, having the OCSP signer constraint
- Any locally installed (trusted) certificate having the OCSP signer constraint
The first two options cover the requirements from RFC 6960 2.6. For
compatibility with non-conforming CAs, we allow the third option as exception,
but require the installation of such certificates locally.
Diffstat (limited to 'testing/tests/ikev2/ocsp-no-signer-cert')
-rw-r--r-- | testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat index a2ce5ad93..a6ae74fe3 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat @@ -1,5 +1,5 @@ moon:: cat /var/log/daemon.log::requesting ocsp status from::YES -moon:: cat /var/log/daemon.log::ocsp response verification failed::YES +moon:: cat /var/log/daemon.log::ocsp response verification failed, no signer::YES moon:: cat /var/log/daemon.log::certificate status is not available::YES moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO |