[svn-upgrade] Integrating new upstream version, strongswan (4.1.3)

1 files changed, 18 insertions, 0 deletions

diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/description.txt b/testing/tests/ikev2/ocsp-strict-ifuri/description.txt
new file mode 100644
index 000000000..580684cf8
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/description.txt
@@ -0,0 +1,18 @@
+This scenario tests the <b>strictcrlpolicy=ifuri</b> option which enforces a
+strict CRL policy for a given CA if at least one OCSP or CRL URI is known
+for this CA at the time of the certificate trust path verification.
+On the gateway <b>moon</b> two different Intermediate CAs control the access
+to the hosts <b>alice</b> and <b>venus</b>. Access to <b>alice</b> is granted
+to users presenting a certificate issued by the Research CA whereas <b>venus</b>
+can only be reached with a certificate issued by the Sales CA. 
+<p>
+The roadwarrior <b>carol</b> has a certificate from the Research CA which does not
+contain any URIs. Therefore a strict CRL policy is <b>not</b> enforced and the
+connection setup succeeds, although the certificate status is unknown.
+</p>
+<p>
+The roadwarrrior <b>dave</b> has a certificate from the Sales CA which contains
+a single OCSP URI but which is not resolvable. Thus because of  the known URI
+a strict CRL policy is enforced and the unknown certificate status causes the
+connection setup to fail.
+</p>