git.ipfire.org Git - thirdparty/strongswan.git/commit

author	Tobias Brunner <tobias@strongswan.org>
	Wed, 9 Sep 2020 13:16:03 +0000 (15:16 +0200)
committer	Tobias Brunner <tobias@strongswan.org>
	Tue, 27 Oct 2020 09:53:10 +0000 (10:53 +0100)
commit	c96600e36c265c843e2e5446047740fd258fada1
tree	cb40b4d909ba68f5be9c7a7a914997472bb05765	tree
parent	7efe92130a1c8ae3c8c16147ead5b2ed95437339	commit \| diff

wip: revocation: Optionally require nonces in OCSP responses

To prevent potential replay attacks it might be preferable to actually
require that nonces are contained in OCSP responses. Otherwise, if the
OCSP server replies to requests with and without nonces, and depending on
the lifetime of the responses, attackers could send cached responses they
requested without nonce as reply to our requests with nonces.

wip: As mentioned above, this is only a problem if servers reply to requests
with and without nonce. So if this is a concern, it might be an option to
configure the server to not reply to requests that don't contain a nonce (if
possible, the OpenSSL OCSP server does not seem to have an option to do so).

conf/plugins/revocation.opt		diff \| blob \| blame \| history
src/libstrongswan/plugins/revocation/revocation_validator.c		diff \| blob \| blame \| history