ocsp-no-signer-cert added
This commit is contained in:
parent
cb5485318f
commit
ce9b4ea6e6
|
@ -0,0 +1,5 @@
|
|||
By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
|
||||
both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
|
||||
is checked via the OCSP server <b>winnetou</b> which is sending a normal host
|
||||
certificate not containing an OCSPSigning extended key usage flag. As a consequence
|
||||
the OCSP signing certificate is not accepted and the connection setup is aborted.
|
|
@ -0,0 +1,5 @@
|
|||
moon::cat /var/log/daemon.log::received valid http response::YES
|
||||
moon::cat /var/log/daemon.log::received certificate is no ocsp signer - rejected::YES
|
||||
moon::cat /var/log/daemon.log::certificate status unknown::YES
|
||||
moon::ipsec status::rw.*ESTABLISHED::NO
|
||||
carol::ipsec status::home.*ESTABLISHED::NO
|
|
@ -0,0 +1,27 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
strictcrlpolicy=yes
|
||||
plutostart=no
|
||||
|
||||
ca strongswan
|
||||
cacert=strongswanCert.pem
|
||||
ocspuri=http://ocsp.strongswan.org:8880
|
||||
auto=add
|
||||
|
||||
conn %default
|
||||
keyexchange=ikev2
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftnexthop=%direct
|
||||
leftcert=carolCert.pem
|
||||
leftid=carol@strongswan.org
|
||||
right=PH_IP_MOON
|
||||
rightsubnet=10.1.0.0/16
|
||||
rightid=@moon.strongswan.org
|
||||
auto=add
|
|
@ -0,0 +1,26 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
strictcrlpolicy=yes
|
||||
plutostart=no
|
||||
|
||||
ca strongswan-ca
|
||||
cacert=strongswanCert.pem
|
||||
ocspuri=http://ocsp.strongswan.org:8880
|
||||
auto=add
|
||||
|
||||
conn %default
|
||||
keyexchange=ikev2
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
|
||||
conn rw
|
||||
left=PH_IP_MOON
|
||||
leftnexthop=%direct
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftsubnet=10.1.0.0/16
|
||||
right=%any
|
||||
auto=add
|
|
@ -0,0 +1,11 @@
|
|||
#!/bin/bash
|
||||
|
||||
cd /etc/openssl
|
||||
|
||||
echo "Content-type: application/ocsp-response"
|
||||
echo ""
|
||||
|
||||
/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
|
||||
-rkey winnetouKey.pem -rsigner winnetouCert.pem \
|
||||
-nmin 5 \
|
||||
-reqin /dev/stdin -respout /dev/stdout
|
|
@ -0,0 +1,2 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
|
@ -0,0 +1,4 @@
|
|||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
carol::sleep 2
|
||||
carol::ipsec up home
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="moon carol winnetou"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="m-c-w.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS=""
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol"
|
Loading…
Reference in New Issue