Check the man page for swanctl.conf on the system running strongSwan. Search for authorities or scroll to the bottom of the page. The possibility to configure CRL and OCSP URIs was added in 5.3.3.
Kind regards Noel Am 06.11.19 um 23:16 schrieb Modster, Anthony: > ? were are the configuration parameters for OCSP > Note: we are using swanctl (VICI) > > > -----Original Message----- > From: Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> > Sent: Wednesday, November 06, 2019 2:13 PM > To: Modster, Anthony <anthony.mods...@teledyne.com>; > users@lists.strongswan.org > Subject: Re: [strongSwan] OCSP update dime > > Answers and question as follows: > > Q: (A.M.) ? are the methods of fetch: CPD and x509 CRL directory > A: CRL in ipsec.d/crls or fetched dynamically using configured (in ipsec.conf > ca section or swanctl authority section) CRL URIs or CRL URI encoded in CA > certificate > > Q: (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL > A: Yes. > > Am 06.11.19 um 22:46 schrieb Modster, Anthony: >> Thanks >> See below (A.M.) >> >> -----Original Message----- >> From: Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> >> Sent: Wednesday, November 06, 2019 1:35 PM >> To: Modster, Anthony <anthony.mods...@teledyne.com>; >> users@lists.strongswan.org >> Subject: Re: [strongSwan] OCSP update dime >> >> Hello Anthony, >> >> The exact paragraph is >>> the strongSwan IKE daemon will not try to fetch a fresh CRL before the >>> nextUpdate time in the CRL has passed. If you want to revoke IPsec >>> endpoints more quickly then you > must either dramatically reduce the >>> lifetime of a CRL e.g. down to an hour or use the Online Certificate Status >>> Protocol (OCSP) which will give you realtime information > on the >>> certificate status. >> >> The paragraph gives you the following information: >> 1) strongSwan will only fetch a new CRL when the nextUpdate time has passed >> (does not pertain OCSP) >> (A.M.) ? are the methods of fetch: CPD and x509 CRL directory >> >> 2) If you need to get new information about revocations sooner than the >> nextUpdate time, then either decrease the nextUpdate time in the next CRL >> file you issue or use OCSP (Online Certificate Status Protocol) instead. >> OCSP works via a HTTP request asking the OCSP responder if a given >> certificate (identified by its hash) is valid at the current time or not. >> >> (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL >> >> Kind regards >> >> Noel >> >> Am 06.11.19 um 22:31 schrieb Modster, Anthony: >>> Hello >>> ? then what is Andreas referencing, below is the issue reported >>> https://wiki.strongswan.org/issues/568 >>> >>> Hi Jim, >>> >>> the strongSwan IKE daemon will not try to fetch a fresh CRL before the >>> nextUpdate time in the CRL has passed. If you want to revoke IPsec >>> endpoints more quickly then you must either dramatically reduce the >>> lifetime of a CRL e.g. down to an hour or use the Online Certificate Status >>> Protocol (OCSP) which will give you realtime information on the certificate >>> status. >>> >>> Andreas >>> >>> -----Original Message----- >>> From: Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> >>> Sent: Wednesday, November 06, 2019 1:27 PM >>> To: Modster, Anthony <anthony.mods...@teledyne.com>; >>> users@lists.strongswan.org >>> Subject: Re: [strongSwan] OCSP update dime >>> >>> Hello, >>> >>> The request doesn't really make sense. >>> There's no OCSP nextUpdate time, that's part of a CRL. >>> >>> Kind regards >>> >>> Noel >>> >>> Am 06.11.19 um 00:03 schrieb Modster, Anthony: >>>> Hello >>>> >>>> >>>> >>>> ? what is the nextUpdate time >>>> >>>> ? is it configurable >>>> >>>> >>>> >>>> https://wiki.strongswan.org/issues/568 >>>> >>>> >>>> >>>> Thanks >>>> >>>> >>>> >>> >> >
signature.asc
Description: OpenPGP digital signature
