private EditText mPort;
private TextInputLayoutHelper mPortWrap;
private Switch mCertReq;
+ private Switch mUseCrl;
+ private Switch mUseOcsp;
+ private Switch mStrictRevocation;
private EditText mNATKeepalive;
private TextInputLayoutHelper mNATKeepaliveWrap;
private EditText mIncludedSubnets;
mNATKeepalive = (EditText)findViewById(R.id.nat_keepalive);
mNATKeepaliveWrap = (TextInputLayoutHelper) findViewById(R.id.nat_keepalive_wrap);
mCertReq = (Switch)findViewById(R.id.cert_req);
+ mUseCrl = findViewById(R.id.use_crl);
+ mUseOcsp = findViewById(R.id.use_ocsp);
+ mStrictRevocation= findViewById(R.id.strict_revocation);
mIncludedSubnets = (EditText)findViewById(R.id.included_subnets);
mIncludedSubnetsWrap = (TextInputLayoutHelper)findViewById(R.id.included_subnets_wrap);
mExcludedSubnets = (EditText)findViewById(R.id.excluded_subnets);
mProfile.setNATKeepAlive(getInteger(mNATKeepalive));
int flags = 0;
flags |= !mCertReq.isChecked() ? VpnProfile.FLAGS_SUPPRESS_CERT_REQS : 0;
+ flags |= !mUseCrl.isChecked() ? VpnProfile.FLAGS_DISABLE_CRL : 0;
+ flags |= !mUseOcsp.isChecked() ? VpnProfile.FLAGS_DISABLE_OCSP : 0;
+ flags |= mStrictRevocation.isChecked() ? VpnProfile.FLAGS_STRICT_REVOCATION : 0;
mProfile.setFlags(flags);
String included = mIncludedSubnets.getText().toString().trim();
mProfile.setIncludedSubnets(included.isEmpty() ? null : included);
mSelectVpnType.setSelection(mVpnType.ordinal());
mCertReq.setChecked(flags == null || (flags & VpnProfile.FLAGS_SUPPRESS_CERT_REQS) == 0);
+ mUseCrl.setChecked(flags == null || (flags & VpnProfile.FLAGS_DISABLE_CRL) == 0);
+ mUseOcsp.setChecked(flags == null || (flags & VpnProfile.FLAGS_DISABLE_OCSP) == 0);
+ mStrictRevocation.setChecked(flags != null && (flags & VpnProfile.FLAGS_STRICT_REVOCATION) != 0);
/* check if the user selected a user certificate previously */
useralias = savedInstanceState == null ? useralias : savedInstanceState.getString(VpnProfileDataSource.KEY_USER_CERTIFICATE);
<?xml version="1.0" encoding="utf-8"?>
<!--
- Copyright (C) 2012-2017 Tobias Brunner
+ Copyright (C) 2012-2018 Tobias Brunner
Copyright (C) 2012 Giuliano Grassi
Copyright (C) 2012 Ralf Sager
HSR Hochschule fuer Technik Rapperswil
android:textSize="12sp"
android:text="@string/profile_cert_req_hint" />
+ <Switch
+ android:id="@+id/use_ocsp"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:layout_marginLeft="4dp"
+ android:layout_marginStart="4dp"
+ android:text="@string/profile_use_ocsp_label" />
+
+ <TextView
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:layout_marginBottom="10dp"
+ android:layout_marginLeft="4dp"
+ android:layout_marginStart="4dp"
+ android:textSize="12sp"
+ android:text="@string/profile_use_ocsp_hint" />
+
+ <Switch
+ android:id="@+id/use_crl"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:layout_marginLeft="4dp"
+ android:layout_marginStart="4dp"
+ android:text="@string/profile_use_crl_label" />
+
+ <TextView
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:layout_marginBottom="10dp"
+ android:layout_marginLeft="4dp"
+ android:layout_marginStart="4dp"
+ android:textSize="12sp"
+ android:text="@string/profile_use_crl_hint" />
+
+ <Switch
+ android:id="@+id/strict_revocation"
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:layout_marginLeft="4dp"
+ android:layout_marginStart="4dp"
+ android:text="@string/profile_strict_revocation_label" />
+
+ <TextView
+ android:layout_width="match_parent"
+ android:layout_height="wrap_content"
+ android:layout_marginBottom="10dp"
+ android:layout_marginLeft="4dp"
+ android:layout_marginStart="4dp"
+ android:textSize="12sp"
+ android:text="@string/profile_strict_revocation_hint" />
+
<TextView
android:layout_width="match_parent"
android:layout_height="wrap_content"
<string name="profile_nat_keepalive_hint">Kleine Pakete werden gesendet, um Mappings auf NAT-Routern am Leben zu erhalten, wenn sonst nichts gesendet wird. Um Energie zu sparen, ist das Standardintervall auf 45 Sekunden gesetzt. Hinter NAT-Routern die Mappings früh entfernen, ist dies möglicherweise zu hoch. 20 Sekunden oder weniger können in diesem Fall helfen.</string>
<string name="profile_cert_req_label">Zertifikatsanforderungen senden</string>
<string name="profile_cert_req_hint">Zertifikatsanforderungen werden für alle oder ausgewählte CA-Zertifikate gesendet. Um die Grösse der IKE_AUTH Nachricht zu reduzieren, kann dies deaktiviert werden. Allerdings funktioniert dies nur, falls der Server sein Zertifikat auch sendet, wenn er zuvor keine Zertifikatsanforderungen erhalten hat.</string>
+ <string name="profile_use_ocsp_label">OCSP zur Zertifikatsprüfung verwenden</string>
+ <string name="profile_use_ocsp_hint">Prüft mit dem Online Certificate Status Protocol (OCSP), sofern verfügbar, ob das Server-Zertifikat gesperrt wurde.</string>
+ <string name="profile_use_crl_label">CRLs zur Zertifikatsprüfung verwenden</string>
+ <string name="profile_use_crl_hint">Verwendet Zertifikatssperrlisten (CRL), sofern verfügbar, um zu prüfen, ob das Server-Zertifikat gesperrt wurde. CRLs werden nur verwendet, wenn OCSP kein Resultat liefert.</string>
+ <string name="profile_strict_revocation_label">Strikte Zertifikatsprüfung verwenden</string>
+ <string name="profile_strict_revocation_hint">Im strikten Modus schlägt die Authentisierung nicht nur dann fehl, wenn das Server-Zertifikat gesperrt wurde, sondern auch wenn der Status des Zertifikats unbekannt ist (z.B. weil OCSP fehl schlug und keine gültige CRL verfügbar war).</string>
<string name="profile_split_tunneling_label">Split-Tunneling</string>
<string name="profile_split_tunneling_intro">Standardmässig leitet der Client allen Netzwerkverkehr durch den VPN Tunnel, ausser der Server schränkt die Subnetze beim Verbindungsaufbau ein, in welchem Fall nur der Verkehr via VPN geleitet wird, den der Server erlaubt (der Rest wird standardmässig behandelt, als ob kein VPN vorhanden wäre).</string>
<string name="profile_split_tunnelingv4_title">Blockiere IPv4 Verkehr der nicht für das VPN bestimmt ist</string>
<string name="profile_nat_keepalive_hint">Small packets are sent to keep mappings on NAT routers alive if there is no other traffic. In order to save energy the default interval is 45 seconds. Behind NAT routers that remove mappings early this might be too high, try 20 seconds or less in that case.</string>
<string name="profile_cert_req_label">Send certificate requests</string>
<string name="profile_cert_req_hint">Certificate requests are sent for all available or selected CA certificates. To reduce the size of the IKE_AUTH message this can be disabled. However, this only works if the server sends its certificate even if it didn\'t receive any certificate requests.</string>
+ <string name="profile_use_ocsp_label">Use OCSP to check certificate</string>
+ <string name="profile_use_ocsp_hint">Use the Online Certificate Status Protocol (OCSP), if available, to check that the server certificate has not been revoked.</string>
+ <string name="profile_use_crl_label">Use CRLs to check certificate</string>
+ <string name="profile_use_crl_hint">Use Certificate Revocation Lists (CRL), if available, to check that the server certificate has not been revoked. CRLs are only used if OCSP doesn\'t yield a result.</string>
+ <string name="profile_strict_revocation_label">Use strict revocation checking</string>
+ <string name="profile_strict_revocation_hint">In strict mode the authentication will fail not only if the server certificate has been revoked but also if its status is unknown (e.g. because OCSP failed and no valid CRL was available).</string>
<string name="profile_split_tunneling_label">Split tunneling</string>
<string name="profile_split_tunneling_intro">By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN).</string>
<string name="profile_split_tunnelingv4_title">Block IPv4 traffic not destined for the VPN</string>
<string name="profile_nat_keepalive_hint">Small packets are sent to keep mappings on NAT routers alive if there is no other traffic. In order to save energy the default interval is 45 seconds. Behind NAT routers that remove mappings early this might be too high, try 20 seconds or less in that case.</string>
<string name="profile_cert_req_label">Send certificate requests</string>
<string name="profile_cert_req_hint">Certificate requests are sent for all available or selected CA certificates. To reduce the size of the IKE_AUTH message this can be disabled. However, this only works if the server sends its certificate even if it didn\'t receive any certificate requests.</string>
+ <string name="profile_use_ocsp_label">Use OCSP to check certificate</string>
+ <string name="profile_use_ocsp_hint">Use the Online Certificate Status Protocol (OCSP), if available, to check that the server certificate has not been revoked.</string>
+ <string name="profile_use_crl_label">Use CRLs to check certificate</string>
+ <string name="profile_use_crl_hint">Use Certificate Revocation Lists (CRL), if available, to check that the server certificate has not been revoked. CRLs are only used if OCSP doesn\'t yield a result.</string>
+ <string name="profile_strict_revocation_label">Use strict revocation checking</string>
+ <string name="profile_strict_revocation_hint">In strict mode the authentication will fail not only if the server certificate has been revoked but also if its status is unknown (e.g. because OCSP failed and no valid CRL was available).</string>
<string name="profile_split_tunneling_label">Split tunneling</string>
<string name="profile_split_tunneling_intro">By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN).</string>
<string name="profile_split_tunnelingv4_title">Block IPv4 traffic not destined for the VPN</string>
<string name="profile_nat_keepalive_hint">Small packets are sent to keep mappings on NAT routers alive if there is no other traffic. In order to save energy the default interval is 45 seconds. Behind NAT routers that remove mappings early this might be too high, try 20 seconds or less in that case.</string>
<string name="profile_cert_req_label">Send certificate requests</string>
<string name="profile_cert_req_hint">Certificate requests are sent for all available or selected CA certificates. To reduce the size of the IKE_AUTH message this can be disabled. However, this only works if the server sends its certificate even if it didn\'t receive any certificate requests.</string>
+ <string name="profile_use_ocsp_label">Use OCSP to check certificate</string>
+ <string name="profile_use_ocsp_hint">Use the Online Certificate Status Protocol (OCSP), if available, to check that the server certificate has not been revoked.</string>
+ <string name="profile_use_crl_label">Use CRLs to check certificate</string>
+ <string name="profile_use_crl_hint">Use Certificate Revocation Lists (CRL), if available, to check that the server certificate has not been revoked. CRLs are only used if OCSP doesn\'t yield a result.</string>
+ <string name="profile_strict_revocation_label">Use strict revocation checking</string>
+ <string name="profile_strict_revocation_hint">In strict mode the authentication will fail not only if the server certificate has been revoked but also if its status is unknown (e.g. because OCSP failed and no valid CRL was available).</string>
<string name="profile_split_tunneling_label">Split tunneling</string>
<string name="profile_split_tunneling_intro">By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN).</string>
<string name="profile_split_tunnelingv4_title">Block IPv4 traffic not destined for the VPN</string>
<string name="profile_nat_keepalive_hint">Small packets are sent to keep mappings on NAT routers alive if there is no other traffic. In order to save energy the default interval is 45 seconds. Behind NAT routers that remove mappings early this might be too high, try 20 seconds or less in that case.</string>
<string name="profile_cert_req_label">Send certificate requests</string>
<string name="profile_cert_req_hint">Certificate requests are sent for all available or selected CA certificates. To reduce the size of the IKE_AUTH message this can be disabled. However, this only works if the server sends its certificate even if it didn\'t receive any certificate requests.</string>
+ <string name="profile_use_ocsp_label">Use OCSP to check certificate</string>
+ <string name="profile_use_ocsp_hint">Use the Online Certificate Status Protocol (OCSP), if available, to check that the server certificate has not been revoked.</string>
+ <string name="profile_use_crl_label">Use CRLs to check certificate</string>
+ <string name="profile_use_crl_hint">Use Certificate Revocation Lists (CRL), if available, to check that the server certificate has not been revoked. CRLs are only used if OCSP doesn\'t yield a result.</string>
+ <string name="profile_strict_revocation_label">Use strict revocation checking</string>
+ <string name="profile_strict_revocation_hint">In strict mode the authentication will fail not only if the server certificate has been revoked but also if its status is unknown (e.g. because OCSP failed and no valid CRL was available).</string>
<string name="profile_split_tunneling_label">拆分隧道</string>
<string name="profile_split_tunneling_intro">By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN).</string>
<string name="profile_split_tunnelingv4_title">屏蔽不通过VPN的IPV4流量</string>
<string name="profile_nat_keepalive_hint">Small packets are sent to keep mappings on NAT routers alive if there is no other traffic. In order to save energy the default interval is 45 seconds. Behind NAT routers that remove mappings early this might be too high, try 20 seconds or less in that case.</string>
<string name="profile_cert_req_label">Send certificate requests</string>
<string name="profile_cert_req_hint">Certificate requests are sent for all available or selected CA certificates. To reduce the size of the IKE_AUTH message this can be disabled. However, this only works if the server sends its certificate even if it didn\'t receive any certificate requests.</string>
+ <string name="profile_use_ocsp_label">Use OCSP to check certificate</string>
+ <string name="profile_use_ocsp_hint">Use the Online Certificate Status Protocol (OCSP), if available, to check that the server certificate has not been revoked.</string>
+ <string name="profile_use_crl_label">Use CRLs to check certificate</string>
+ <string name="profile_use_crl_hint">Use Certificate Revocation Lists (CRL), if available, to check that the server certificate has not been revoked. CRLs are only used if OCSP doesn\'t yield a result.</string>
+ <string name="profile_strict_revocation_label">Use strict revocation checking</string>
+ <string name="profile_strict_revocation_hint">In strict mode the authentication will fail not only if the server certificate has been revoked but also if its status is unknown (e.g. because OCSP failed and no valid CRL was available).</string>
<string name="profile_split_tunneling_label">拆分隧道</string>
<string name="profile_split_tunneling_intro">By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN).</string>
<string name="profile_split_tunnelingv4_title">屏蔽不通过VPN的IPV4流量</string>
<string name="profile_nat_keepalive_hint">Small packets are sent to keep mappings on NAT routers alive if there is no other traffic. In order to save energy the default interval is 45 seconds. Behind NAT routers that remove mappings early this might be too high, try 20 seconds or less in that case.</string>
<string name="profile_cert_req_label">Send certificate requests</string>
<string name="profile_cert_req_hint">Certificate requests are sent for all available or selected CA certificates. To reduce the size of the IKE_AUTH message this can be disabled. However, this only works if the server sends its certificate even if it didn\'t receive any certificate requests.</string>
+ <string name="profile_use_ocsp_label">Use OCSP to check certificate</string>
+ <string name="profile_use_ocsp_hint">Use the Online Certificate Status Protocol (OCSP), if available, to check that the server certificate has not been revoked.</string>
+ <string name="profile_use_crl_label">Use CRLs to check certificate</string>
+ <string name="profile_use_crl_hint">Use Certificate Revocation Lists (CRL), if available, to check that the server certificate has not been revoked. CRLs are only used if OCSP doesn\'t yield a result.</string>
+ <string name="profile_strict_revocation_label">Use strict revocation checking</string>
+ <string name="profile_strict_revocation_hint">In strict mode the authentication will fail not only if the server certificate has been revoked but also if its status is unknown (e.g. because OCSP failed and no valid CRL was available).</string>
<string name="profile_split_tunneling_label">Split tunneling</string>
<string name="profile_split_tunneling_intro">By default, the client will route all network traffic through the VPN, unless the server narrows the subnets when the connection is established, in which case only traffic the server allows will be routed via VPN (by default, all other traffic is routed as if there was no VPN).</string>
<string name="profile_split_tunnelingv4_title">Block IPv4 traffic not destined for the VPN</string>