[Openswan Users] ocsp & openswan
andreas.steffen at strongsec.net
Tue Jun 14 20:52:44 CEST 2005
Yes, if the certs have an Authority Information Access Entry
then the OCSP server should be contacted as soon as the
certificate is received from the peer. Use
ipsec auto --listocsp
to check if any OCSP fetch requests have been generated.
My OCSP test scenario available from
shows how the OCSP fetching works.
> hi Andreas,
> yes I have done it on both ends of the VPN.
> the check to the ocsp server should be automatic ?
> 2005/6/14, Andreas Steffen <andreas.steffen at strongsec.net>:
>>have you started the OCSP fetching thread by setting
>> crlcheckinterval=600 # check every 10 minutes
>>in ipsec.conf ?
>>>I am trying to use the OCSP protocol to check the validity of my certificates.
>>>So I have downloaded the libcurl-devel package providing curl headers,
>>>I have set USE_LIBCURL to true and HAVE_THREAD to true.
>>>And when my CA sign a certificate it adds the following extension on
>>>Authority Information Access :
>>>OCSP - URI:http://220.127.116.11
>>>this is the address where my OCSP server is running.
>>>So when I manually ask for the validity of a certificate to the OCSP
>>>server , it responds correctly.
>>>But, when I try manually to establish A VPN with the certificates the
>>>ocsp server is not asked.
>>>is it normal?
>>>is there an ocsp client in pluto or not ?
>>>does this check can only be done by a web browser ?
Andreas Steffen e-mail: andreas.steffen at strongsec.com
strongSec GmbH home: http://www.strongsec.com
Alter Zürichweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
More information about the Users