[strongSwan-dev] Authorize hook called even if CRL is expired

Emeric POUPON emeric.poupon at stormshield.eu
Fri Aug 25 10:22:51 CEST 2017


Hello,

Here is the situation:
- strongSwan 5.5.3
- a valid CRL is required (strictcrlpolicy = yes)
- the CRL used is expired

The problem is that our custom authorize hook is called (whith final = FALSE) even if the CRL is expired:

Aug 10 04:05:11 14[CFG] <MYCONN|1>   crl correctly signed by "C=FR, ST=FR, L=VDA, O=TestIntInt, OU=Test, CN=External_IPSec1"
Aug 10 04:05:11 14[CFG] <MYCONN|1>   crl is stale: since Aug 10 02:53:17 2017
...
Aug 10 04:05:11 14[CFG] <MYCONN|1> certificate policy 2.5.29.32.0 for 'C=FR, ST=FR, L=VDA, O=TestIntInt, OU=Test, CN=External_LongerInitiator1,ou=users,o=mycompany,dc=fr, E=Initiator1 at TestInt.int' not allowed by trustchain, ignored
...
Aug 10 04:05:11 14[CFG] <MYCONN|1>   certificate "C=FR, ST=FR, L=VDA, O=TestIntInt, OU=Test, CN=External_IPSec1" key: 2048 bit RSA
Aug 10 04:05:11 14[CFG] <MYCONN|1>   reached self-signed root ca with a path length of 0
Aug 10 04:05:11 14[IKE] <MYCONN|1> authentication of 'C=FR, ST=FR, L=VDA, O=TestIntInt, OU=Test, CN=External_LongerInitiator1,ou=users,o=mycompany,dc=fr, E=Initiator1 at TestInt.int' with RSA_EMSA_PKCS1_SHA2_256 successful
*** Authorization hook called here
Aug 10 04:05:11 14[CFG] <MYCONN|1> constraint check failed: RULE_CRL_VALIDATION is STALE, but requires at least GOOD
Aug 10 04:05:11 14[CFG] <MYCONN|1> selected peer config 'MYCONN' inacceptable: non-matching authentication done

It looks like the hook should not be called in that situation, in order to prevent useless external requests to check permissions.

As a workaround, how could we check the CRL validation status in our custom plugin during the authorize hook?

Regards,

Emeric



More information about the Dev mailing list