| Commit message (Collapse) | Author | Age | Files | Lines | |
|---|---|---|---|---|---|
| * | revocation: Allow CRLs to be encoded in PEM format | Tobias Brunner | 2015-11-12 | 1 | -1/+1 |
| | | | | | | | | | | | Since the textual representation for a CRL is now standardized in RFC 7468 one could argue that we should accept that too, even though RFC 5280 explicitly demands CRLs fetched via HTTP/FTP to be in DER format. But in particular for file URIs enforcing that seems inconvenient. Fixes #1203. | ||||
| * | plugins: Don't link with -rdynamic on Windows | Martin Willi | 2014-06-04 | 1 | -1/+1 |
| | | |||||
| * | revocation: Log error if no OCSP signer candidate found | Martin Willi | 2014-03-31 | 1 | -1/+1 |
| | | | | | Fixes evaluation of ikev2/ocsp-untrusted-cert. | ||||
| * | revocation: Restrict OCSP signing to specific certificates | Martin Willi | 2014-03-31 | 1 | -7/+63 |
| | | | | | | | | | | | | | | To avoid considering each cached OCSP response and evaluating its trustchain, we limit the certificates considered for OCSP signing to: - The issuing CA of the checked certificate - A directly delegated signer by the same CA, having the OCSP signer constraint - Any locally installed (trusted) certificate having the OCSP signer constraint The first two options cover the requirements from RFC 6960 2.6. For compatibility with non-conforming CAs, we allow the third option as exception, but require the installation of such certificates locally. | ||||
| * | revocation: Don't merge auth config of CLR/OCSP trustchain validation | Martin Willi | 2014-03-31 | 1 | -39/+24 |
| | | | | | | | | | | | This behavior was introduced with 6840a6fb to avoid key/signature strength checking for the revocation trustchain as we do it for end entity certificates. Unfortunately this breaks CA constraint checking under certain conditions, as we merge additional intermediate/CA certificates to the auth config. As key/signature strength checking of the revocation trustchain is a rather exotic requirement we drop support for that to properly enforce CA constraints. | ||||
| * | credmgr: introduce a hook function to catch trust chain validation errors | Martin Willi | 2013-07-18 | 1 | -0/+6 |
| | | |||||
| * | automake: replace INCLUDES by AM_CPPFLAGS | Martin Willi | 2013-07-18 | 1 | -3/+4 |
| | | | | | | | INCLUDES are now deprecated and throw warnings when using automake 1.13. We now also differentiate AM_CPPFLAGS and AM_CFLAGS, where includes and defines are passed to AM_CPPFLAGS only. | ||||
| * | revocation: Use plugin features with soft dependencies on fetcher and ↵ | Tobias Brunner | 2013-06-11 | 1 | -3/+35 |
| | | | | | en-/decoding | ||||
| * | Moved debug.[ch] to utils folder | Tobias Brunner | 2012-10-24 | 1 | -1/+1 |
| | | |||||
| * | Add signature schemes to auth_cfg during trustchain validation | Martin Willi | 2012-06-12 | 1 | -2/+2 |
| | | |||||
| * | Added a flag to register local credential sets exclusively, disabling all others | Martin Willi | 2012-03-20 | 1 | -1/+1 |
| | | |||||
| * | Handle certificates being on hold in a CRL | Thomas Egerer | 2011-11-04 | 1 | -1/+11 |
| | | | | | | | | Certificates which are set on hold in a CRL might be removed from any subsequent CRL. Hence you cannot conclude that a certificate is revoked for good in this case, you would try to retrieve an update CRL to see if the certificate on hold is still on it or not. | ||||
| * | Added a (not yet implemented) plugin_t method to reload plugin configuration | Martin Willi | 2011-04-15 | 1 | -0/+1 |
| | | |||||
| * | Added a get_name() function to plugin_t, create_plugin_enumerator enumerates ↵ | Martin Willi | 2011-04-15 | 1 | -0/+7 |
| | | | | | over plugin_t | ||||
| * | [hopefully] fixed pathlen problem on ARM platforms | Andreas Steffen | 2011-02-10 | 1 | -1/+1 |
| | | |||||
| * | Added support for delta CRL checking to revocation plugin | Martin Willi | 2011-01-05 | 1 | -12/+109 |
| | | |||||
| * | Check for issuer only if we actually got a CRL | Martin Willi | 2011-01-05 | 1 | -7/+7 |
| | | |||||
| * | Pass an additional anchor flag to validate() hook if we reach the root CA | Martin Willi | 2011-01-05 | 1 | -1/+2 |
| | | |||||
| * | Always pass auth info to validate(), use pathlen to check for user certificate | Martin Willi | 2011-01-05 | 1 | -2/+4 |
| | | |||||
| * | Simplified format of x509 CRL URI parsing/enumerator | Martin Willi | 2011-01-05 | 1 | -8/+8 |
| | | |||||
| * | CRL/OCSP validation stores trustchain information in auth_cfg | Martin Willi | 2011-01-05 | 1 | -17/+31 |
| | | |||||
| * | Use certificate CRLIssuer information to look up cacched CRLs or CDPs | Martin Willi | 2011-01-05 | 1 | -50/+88 |
| | | |||||
| * | Added support for CRL Issuers to x509 and OpenSSL plugins | Martin Willi | 2011-01-05 | 1 | -2/+1 |
| | | |||||
| * | Use a seperate section for each nested struct member in INIT macro | Martin Willi | 2010-08-18 | 1 | -1/+5 |
| | | |||||
| * | Support different encoding types in certificate.get_encoding() | Martin Willi | 2010-07-13 | 1 | -1/+6 |
| | | |||||
| * | Renamed key_encod{ing,der}_t and constants, prepare for generic credential ↵ | Martin Willi | 2010-07-13 | 1 | -2/+2 |
| | | | | | encoding | ||||
| * | Moved CRL/OCSP checking to a dedicated plugin called revocation | Martin Willi | 2010-07-13 | 5 | -0/+750 |
 |
index : tteras/strongswan | |
| tteras' strongSwan tree | gitolite |
| aboutsummaryrefslogtreecommitdiffstats |