| Commit message (Collapse) | Author | Age | Files | Lines | |
|---|---|---|---|---|---|
| * | revocation: More accurately describe the flags to disable OCSP/CRL validation | Tobias Brunner | 2017-02-15 | 1 | -8/+7 |
| | | | | | | | These options disable validation as such, e.g. even from cached CRLs, not only the fetching. Also made the plugin's validate() implementation a no-op if both options are disabled. | ||||
| * | revocation: OCSP and/or CRL fetching can be disabled | Andreas Steffen | 2016-12-30 | 1 | -38/+71 |
| | | |||||
| * | revocation: Cache valid CRL also if certificate is revoked | Tobias Brunner | 2016-10-11 | 1 | -10/+25 |
| | | |||||
| * | revocation: Allow CRLs to be encoded in PEM format | Tobias Brunner | 2015-11-12 | 1 | -1/+1 |
| | | | | | | | | | | | Since the textual representation for a CRL is now standardized in RFC 7468 one could argue that we should accept that too, even though RFC 5280 explicitly demands CRLs fetched via HTTP/FTP to be in DER format. But in particular for file URIs enforcing that seems inconvenient. Fixes #1203. | ||||
| * | revocation: Log error if no OCSP signer candidate found | Martin Willi | 2014-03-31 | 1 | -1/+1 |
| | | | | | Fixes evaluation of ikev2/ocsp-untrusted-cert. | ||||
| * | revocation: Restrict OCSP signing to specific certificates | Martin Willi | 2014-03-31 | 1 | -7/+63 |
| | | | | | | | | | | | | | | To avoid considering each cached OCSP response and evaluating its trustchain, we limit the certificates considered for OCSP signing to: - The issuing CA of the checked certificate - A directly delegated signer by the same CA, having the OCSP signer constraint - Any locally installed (trusted) certificate having the OCSP signer constraint The first two options cover the requirements from RFC 6960 2.6. For compatibility with non-conforming CAs, we allow the third option as exception, but require the installation of such certificates locally. | ||||
| * | revocation: Don't merge auth config of CLR/OCSP trustchain validation | Martin Willi | 2014-03-31 | 1 | -39/+24 |
| | | | | | | | | | | | This behavior was introduced with 6840a6fb to avoid key/signature strength checking for the revocation trustchain as we do it for end entity certificates. Unfortunately this breaks CA constraint checking under certain conditions, as we merge additional intermediate/CA certificates to the auth config. As key/signature strength checking of the revocation trustchain is a rather exotic requirement we drop support for that to properly enforce CA constraints. | ||||
| * | credmgr: introduce a hook function to catch trust chain validation errors | Martin Willi | 2013-07-18 | 1 | -0/+6 |
| | | |||||
| * | Moved debug.[ch] to utils folder | Tobias Brunner | 2012-10-24 | 1 | -1/+1 |
| | | |||||
| * | Add signature schemes to auth_cfg during trustchain validation | Martin Willi | 2012-06-12 | 1 | -2/+2 |
| | | |||||
| * | Added a flag to register local credential sets exclusively, disabling all others | Martin Willi | 2012-03-20 | 1 | -1/+1 |
| | | |||||
| * | Handle certificates being on hold in a CRL | Thomas Egerer | 2011-11-04 | 1 | -1/+11 |
| | | | | | | | | Certificates which are set on hold in a CRL might be removed from any subsequent CRL. Hence you cannot conclude that a certificate is revoked for good in this case, you would try to retrieve an update CRL to see if the certificate on hold is still on it or not. | ||||
| * | [hopefully] fixed pathlen problem on ARM platforms | Andreas Steffen | 2011-02-10 | 1 | -1/+1 |
| | | |||||
| * | Added support for delta CRL checking to revocation plugin | Martin Willi | 2011-01-05 | 1 | -12/+109 |
| | | |||||
| * | Check for issuer only if we actually got a CRL | Martin Willi | 2011-01-05 | 1 | -7/+7 |
| | | |||||
| * | Pass an additional anchor flag to validate() hook if we reach the root CA | Martin Willi | 2011-01-05 | 1 | -1/+2 |
| | | |||||
| * | Always pass auth info to validate(), use pathlen to check for user certificate | Martin Willi | 2011-01-05 | 1 | -2/+4 |
| | | |||||
| * | Simplified format of x509 CRL URI parsing/enumerator | Martin Willi | 2011-01-05 | 1 | -8/+8 |
| | | |||||
| * | CRL/OCSP validation stores trustchain information in auth_cfg | Martin Willi | 2011-01-05 | 1 | -17/+31 |
| | | |||||
| * | Use certificate CRLIssuer information to look up cacched CRLs or CDPs | Martin Willi | 2011-01-05 | 1 | -50/+88 |
| | | |||||
| * | Added support for CRL Issuers to x509 and OpenSSL plugins | Martin Willi | 2011-01-05 | 1 | -2/+1 |
| | | |||||
| * | Support different encoding types in certificate.get_encoding() | Martin Willi | 2010-07-13 | 1 | -1/+6 |
| | | |||||
| * | Renamed key_encod{ing,der}_t and constants, prepare for generic credential ↵ | Martin Willi | 2010-07-13 | 1 | -2/+2 |
| | | | | | encoding | ||||
| * | Moved CRL/OCSP checking to a dedicated plugin called revocation | Martin Willi | 2010-07-13 | 1 | -0/+582 |
 |
index : tteras/strongswan | |
| tteras' strongSwan tree | gitolite |
| aboutsummaryrefslogtreecommitdiffstats |