OK, good luck -----Original Message----- From: Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> Sent: Wednesday, November 06, 2019 3:50 PM To: Modster, Anthony <anthony.mods...@teledyne.com>; users@lists.strongswan.org Subject: Re: [strongSwan] OCSP update dime
I think it takes all of them and tries them in order or something, I'd need to look at the code. Am 07.11.19 um 00:11 schrieb Modster, Anthony: > Hello Noel > > If the URLs are not set, ? will strongswan read them from the User Cert > swanctl: authorities.<name>.ocsp_uris “comma-separated list of OCSP URL’s” > > ? would it be the same for CPD > > -----Original Message----- > From: Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> > Sent: Wednesday, November 06, 2019 2:52 PM > To: Modster, Anthony <anthony.mods...@teledyne.com>; > users@lists.strongswan.org > Subject: Re: [strongSwan] OCSP update dime > > Check the man page for swanctl.conf on the system running strongSwan. Search > for authorities or scroll to the bottom of the page. > The possibility to configure CRL and OCSP URIs was added in 5.3.3. > > Kind regards > > Noel > > Am 06.11.19 um 23:16 schrieb Modster, Anthony: >> ? were are the configuration parameters for OCSP >> Note: we are using swanctl (VICI) >> >> >> -----Original Message----- >> From: Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> >> Sent: Wednesday, November 06, 2019 2:13 PM >> To: Modster, Anthony <anthony.mods...@teledyne.com>; >> users@lists.strongswan.org >> Subject: Re: [strongSwan] OCSP update dime >> >> Answers and question as follows: >> >> Q: (A.M.) ? are the methods of fetch: CPD and x509 CRL directory >> A: CRL in ipsec.d/crls or fetched dynamically using configured (in >> ipsec.conf ca section or swanctl authority section) CRL URIs or CRL URI >> encoded in CA certificate >> >> Q: (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL >> A: Yes. >> >> Am 06.11.19 um 22:46 schrieb Modster, Anthony: >>> Thanks >>> See below (A.M.) >>> >>> -----Original Message----- >>> From: Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> >>> Sent: Wednesday, November 06, 2019 1:35 PM >>> To: Modster, Anthony <anthony.mods...@teledyne.com>; >>> users@lists.strongswan.org >>> Subject: Re: [strongSwan] OCSP update dime >>> >>> Hello Anthony, >>> >>> The exact paragraph is >>>> the strongSwan IKE daemon will not try to fetch a fresh CRL before the >>>> nextUpdate time in the CRL has passed. If you want to revoke IPsec >>>> endpoints more quickly then you > must either dramatically reduce the >>>> lifetime of a CRL e.g. down to an hour or use the Online Certificate >>>> Status Protocol (OCSP) which will give you realtime information > on the >>>> certificate status. >>> >>> The paragraph gives you the following information: >>> 1) strongSwan will only fetch a new CRL when the nextUpdate time has passed >>> (does not pertain OCSP) >>> (A.M.) ? are the methods of fetch: CPD and x509 CRL directory >>> >>> 2) If you need to get new information about revocations sooner than the >>> nextUpdate time, then either decrease the nextUpdate time in the next CRL >>> file you issue or use OCSP (Online Certificate Status Protocol) instead. >>> OCSP works via a HTTP request asking the OCSP responder if a given >>> certificate (identified by its hash) is valid at the current time or not. >>> >>> (A.M.) ? can OCSP revoke a cert, even if there is a valid loaded CRL >>> >>> Kind regards >>> >>> Noel >>> >>> Am 06.11.19 um 22:31 schrieb Modster, Anthony: >>>> Hello >>>> ? then what is Andreas referencing, below is the issue reported >>>> https://wiki.strongswan.org/issues/568 >>>> >>>> Hi Jim, >>>> >>>> the strongSwan IKE daemon will not try to fetch a fresh CRL before the >>>> nextUpdate time in the CRL has passed. If you want to revoke IPsec >>>> endpoints more quickly then you must either dramatically reduce the >>>> lifetime of a CRL e.g. down to an hour or use the Online Certificate >>>> Status Protocol (OCSP) which will give you realtime information on the >>>> certificate status. >>>> >>>> Andreas >>>> >>>> -----Original Message----- >>>> From: Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> >>>> Sent: Wednesday, November 06, 2019 1:27 PM >>>> To: Modster, Anthony <anthony.mods...@teledyne.com>; >>>> users@lists.strongswan.org >>>> Subject: Re: [strongSwan] OCSP update dime >>>> >>>> Hello, >>>> >>>> The request doesn't really make sense. >>>> There's no OCSP nextUpdate time, that's part of a CRL. >>>> >>>> Kind regards >>>> >>>> Noel >>>> >>>> Am 06.11.19 um 00:03 schrieb Modster, Anthony: >>>>> Hello >>>>> >>>>> >>>>> >>>>> ? what is the nextUpdate time >>>>> >>>>> ? is it configurable >>>>> >>>>> >>>>> >>>>> https://wiki.strongswan.org/issues/568 >>>>> >>>>> >>>>> >>>>> Thanks >>>>> >>>>> >>>>> >>>> >>> >> >
