<div dir="ltr">Hi Noel,<div><br></div><div>Thank you for the reply. Regarding the crlSign bit, in our environment we can only accept if it has been signed by a CA AND has the crlSIgn bit set. I changed the line in the code to "if (!(x509->get_flags(x509) & X509_CRL_SIGN))" but it just seem to get ignored even when the CA cert on the peer doesnt have the crlSIgn set. Is there something else in the code that I am missing?</div><div><br></div><div>Thanks,</div><div><br></div><div>David</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jul 31, 2017 at 12:32 PM, David Keane <span dir="ltr"><<a href="mailto:dkeane3000@gmail.com" target="_blank">dkeane3000@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div>Hi all,<br><br></div><div>My setup is as follows:<br><br></div><div>Host 1 --> MyVPNGW --> PeerVPNGW --> Host 2<br></div><div><br></div><div>MyVPNGW is also connected to a CA server that contains a CRL on /var/www/html/. I am using a RooT CA and an Intermediate CA certificate on each side with their relevant client certs<br><br></div>I have a few questions that I need answers in relation to strongswan's revocation procedures that maybe you can help with. My 1st issue is that if I add MyVPNGW's certificate to the CRL marked as revoked and then initiate the tunnel from MyVPNGW also, I find that the tunnel will establish, with or without strict-crl-policy and the CRL embedded in the certificate appears to be ignored. The CRLDP is embedded in the certificate itself as follows:<br><br>X509v3 CRL Distribution Points: <br><br>Full Name:<br> URI:<a href="http://192.168.1.1/crl.der" target="_blank">http://192.168.1.1/crl.der</a><br><br></div>I can see in the logs that the CRL was fetched correctly:<br><br>received end entity cert "XXXXXXXXX"<br> using certificate "XXXXXX"<br> using trusted intermediate ca certificate "XXXXXX"<br><b>checking certificate status of "CN=PeerVPNGW"</b><br> fetching crl from '<a href="http://192.168.1.1/crl.der" target="_blank">http://192.168.1.1/crl.der</a>' ...<br> using trusted ca certificate "XXXXXX"<br> reached self-signed root ca with a path length of 0<br> using trusted certificate "XXXXXXXXXX"<br> crl correctly signed by "XXXXXXXXXXX"<br> crl is valid: until Aug 11 23:27:53 2017<br>certificate status is good<br> using trusted ca certificate "XXXXXXXXXXXX"<br><b>checking certificate status of "CN=<a href="http://intermediate_ca.test.com" target="_blank">intermediate_ca.test.com</a>"</b><br> fetching crl from '<a href="http://192.168.1.1/rootcrl.der" target="_blank">http://192.168.1.1/rootcrl.<wbr>der</a>' ...<br> using trusted certificate "XXXXXXXXXX"<br> crl correctly signed by "XXXXXXXXXXXXX"<br> crl is valid: until Aug 11 14:47:48 2017<br>certificate status is good<br> reached self-signed root ca with a path length of 1<br>authentication of 'XXXXXXXXX' with ECDSA_WITH_SHA384_DER successful<br>IKE_SA testsa[1] established between X.X.X.X[XXXXX]...X.X.X.X[<wbr>XXXXXX]<br>scheduling reauthentication in 86370s<br>maximum IKE_SA lifetime 86400s<br>connection 'testsa' established successfully<br></div><div><br>If I mark the PeerVPNGW cert as revoked, the connection fails and I can see in the IPSec logs that the certificate was revoked. I notice in the logs (see above) that it only seems to check the certificate status of the peer certs and not the local side, is that correct? Is there any way of getting strongswan to validate its local certificate against the CRL?<br><br></div>My 2nd question is in relation CRLsign. My understanding of the standards is that the CRL should be ignored unless it was signed by a CA certificate that has the CRLsign bit set. I am finding that strongswan seems to ignore this. If I create a CRL from a certificate that doesnt have the CRLsign bit set and then revoke the PeerVPNGW cert, I find that that the connection fails as its seeing the PeerVPNGW cert as being revoked. I would have expected it to ignore the CRL as the CRLsign bit wasnt set and it shouldnt be recognised as a valid CRL. Just wondering what your opinions are on this?<br><br></div>Thank you,<br><br></div>David<br></div>
</blockquote></div><br></div>