[Openswan Users] ocsp & openswan

Andreas Steffen andreas.steffen at strongsec.net
Tue Jun 14 20:52:44 CEST 2005

Yes, if the certs have an Authority Information Access Entry
then the OCSP server should be contacted as soon as the
certificate is received from the peer. Use

  ipsec auto --listocsp

to check if any OCSP fetch requests have been generated.

My OCSP test scenario available from


shows how the OCSP fetching works.



david wrote:
> hi Andreas,
> yes I have done it on both ends of the VPN.
> the check to the ocsp server should be automatic ?
> regards 
> david
> 2005/6/14, Andreas Steffen <andreas.steffen at strongsec.net>:
>>Hi David,
>>have you started the OCSP fetching thread by setting
>>config setup
>>     crlcheckinterval=600  # check every 10 minutes
>>in ipsec.conf ?
>>david wrote:
>>>hi all,
>>>I am trying to use the OCSP protocol to check the validity of my certificates.
>>>So I have downloaded the libcurl-devel package providing curl headers,
>>>I have set USE_LIBCURL to true and HAVE_THREAD to true.
>>>And when my CA sign a certificate it adds the following extension on
>>>the certificates:
>>>Authority Information Access :
>>>OCSP - URI:
>>>this is the address where my OCSP server is running.
>>>So when I manually ask for the validity of a certificate to the OCSP
>>>server , it responds correctly.
>>>But, when I try manually to establish A VPN with the certificates the
>>>ocsp server is not asked.
>>>is it normal?
>>>is there an ocsp client in pluto or not ?
>>>does this check can only be done by a web browser ?

Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list