From: Tobias Brunner Date: Tue, 22 May 2018 07:52:08 +0000 (+0200) Subject: Merge branch 'cert-chain-fixes' X-Git-Tag: 5.6.3dr2~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3f003e5e2128edc7d17871293ecb9562550fbc20;p=thirdparty%2Fstrongswan.git Merge branch 'cert-chain-fixes' This fixes several issues that came up via BSI's Certification Path Validation Test Tool (CPT): 1) In compliance with RFC 4945, section 5.1.3.2, we now enforce that a certificate used for IKE authentication either does not contain a keyUsage extension (like the ones produced by pki --issue) or that they include digitalSignature or nonRepudiation. 2) CRLs that are not yet valid are now rejected as that could be a problem in scenarios where expired certificates are removed from CRLs and the clock on the host doing the revocation check is trailing behind that of the host issuing CRLs. 3) Results other than revocation (e.g. a skipped check because the CRL couldn't be fetched) are now stored also for intermediate CA certificates and not only for end-entity certificates, so a strict CRL policy can be enforced in such cases. --- 3f003e5e2128edc7d17871293ecb9562550fbc20