Fix Handling of OCSP Error Responses
A refactoring in 5.9.12 caused a regression where OCSP error responses crashed the daemon when it tried to verify the issuer of such a response (they are not signed, so there isn't one).
Setting for Length of Nonces in OCSP Requests
One reason for OCSP error responses can be older OCSP servers that don't support the new default length of 32 bytes for nonce values in OCSP requests, which strongSwan uses since 5.9.12, as required by RFC 8954 for newer clients. For this reason, we added the
charon.ocsp_nonce_len setting that allows specifying the length of such nonce values. With older servers, reducing it might be necessary, e.g. to 16, which was the previous default.
Other Notable Features and Fixes
- OCSP error responses are now dropped immediately instead of trying to verify a non-existent signature.
pki --ocsp --respondreplies with an internal error OCSP response if no signer certificate is found (e.g. if the request is sent to the wrong server) instead of failing silently.
- Added missing environment variables for
cert-install-sslcert-enroll script script.