[Openswan Users] openswan and DoD PKI specification
Chen, Xuli (James)
chenja at avaya.com
Mon Mar 21 16:41:30 EDT 2011
Thank Paul again.
I didn't find any CRL version check in both files, but according to the format of struct x509crl, I would say it's for version 1. And I did test the latest openswan-2.6.21-5.el5_5.3 from redhat with version 1 CRL, it works well. I cannot generate version 2 CRL.
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Monday, March 21, 2011 4:09 PM
To: Chen, Xuli (James)
Cc: users at openswan.org
Subject: RE: [Openswan Users] openswan and DoD PKI specification
On Mon, 21 Mar 2011, Chen, Xuli (James) wrote:
> RFC specifications already implemented x509 CRL versions2 which has new field CRL extensions. Does the latest openswan support both version CRLs? It would always be backward compatible (It will continue supporting v1 when it supports v2)?
I'm not very knowledgable in the X.509 space - in fact I'm trying very hard to not use it (see
current IETF discussions on bare keys versus certificates). So I do not know what versions of
CRL exist and which of those we support. I suggest you check programs/pluto/x509.c and
programs/pluto/fetch.c. If you can tell me, then I will put a note in those files and the
README to list the specific verisons/rfc we support.
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Friday, March 18, 2011 9:51 PM
> To: Chen, Xuli (James)
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] openswan and DoD PKI specification
> On Fri, 18 Mar 2011, Chen, Xuli (James) wrote:
>> Date: Fri, 18 Mar 2011 14:52:10 -0400
>> From: "Chen, Xuli (James)" <chenja at avaya.com>
>> To: "users at openswan.org" <users at openswan.org>
>> Subject: [Openswan Users] openswan and DoD PKI specification
>> Hi All,
>> Anyone knows if the DoD PKI specification was being followed when the openswan was deployed or upgraded?
> The IETF RFCs specifications are used. We have no idea what the relationship with
> DoD is. For instance Openswan supports md5 and DoD might say it may not use md5.
> Red Hat builds a FIPS 140-2 version of openswan, that disables some ciphers for
> this reason, and uses NSS to encrypt all the private keys inside an nssdb database.
More information about the Users