blob: 580684cf84582fedf505357967462cdaefa107e8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
This scenario tests the <b>strictcrlpolicy=ifuri</b> option which enforces a
strict CRL policy for a given CA if at least one OCSP or CRL URI is known
for this CA at the time of the certificate trust path verification.
On the gateway <b>moon</b> two different Intermediate CAs control the access
to the hosts <b>alice</b> and <b>venus</b>. Access to <b>alice</b> is granted
to users presenting a certificate issued by the Research CA whereas <b>venus</b>
can only be reached with a certificate issued by the Sales CA.
<p>
The roadwarrior <b>carol</b> has a certificate from the Research CA which does not
contain any URIs. Therefore a strict CRL policy is <b>not</b> enforced and the
connection setup succeeds, although the certificate status is unknown.
</p>
<p>
The roadwarrrior <b>dave</b> has a certificate from the Sales CA which contains
a single OCSP URI but which is not resolvable. Thus because of the known URI
a strict CRL policy is enforced and the unknown certificate status causes the
connection setup to fail.
</p>
|
