[strongSwan] Reread of CA certificates, CRL checking

Markus Müller mamu5004 at stud.uni-saarland.de
Fri Feb 26 15:27:13 CET 2010 

Hello,

I've got the following 2 questions about a strongSwan 4.3.6 setup with
OpenSSL 0.9.8g certificates:

1)
  Is there a way to tell the pluto & charon daemons to "forget" removed CA
  certificates from /etc/ipsec.d/cacerts without a restart
  (and thus disrupted connections)?
  When I delete a certificate from the folder and run 'ipsec rereadcacerts',
  the removed certificate is still listed in the 'ipsec listcacerts' output.

2)
  I generated CRLs for my CAs and put those in the /etc/ipsec.d/crls folder.
  One of the CRLs belongs to a CA with a revoked certificate.
  When I tried to connect, using that revoked certificate, I got connected
  when keyexchange is set to ikev2 and rejected (as expected) when
  keyexchange is set to ike.

Thanks in advance,
  Markus


  The ipsec.conf files look like this:

  gateway side:
  conn 1
   left=192.168.150.135
   leftsubnet=172.16.121.0/24
   right=%any
   authby=rsasig
   leftcert=cert1.pem
   leftid="C=de, ST=state, O=company, OU=develop, CN=cert 1, E=dev at company.de"
   rightid=%any
   dpdaction=hold
   dpddelay=15s
   ike=aes256-sha2_512-modp8192,aes256-sha2_512-modp4096!
   esp=aes256-sha2_256!
   keyexchange=ikev2
   ikelifetime=3600s
   keyingtries=%forever
   keylife=300s
   rekey=yes
   rekeymargin=60s
   rekeyfuzz=50%
   reauth=yes
   auto=add
   leftsendcert=ifasked

  client side:
  conn 1
   left=192.168.150.136
   right=192.168.150.135
   rightsubnet=172.16.121.0/24
   authby=rsasig
   leftcert=cert2.pem
   leftid="C=de, ST=state, O=company, OU=sales, CN=cert 2, E=sales at company.de"
   rightcert=cert1.pem
   rightid="C=de, ST=state, O=company, OU=develop, CN=cert 1, E=dev at company.de"
   dpdaction=hold
   dpddelay=15s
   ike=aes256-sha2_512-modp8192,aes256-sha2_512-modp4096!
   esp=aes128-sha2_256,aes256-sha2_256!
   keyexchange=ikev2
   ikelifetime=3600s
   keyingtries=%forever
   keylife=300s
   rekey=yes
   rekeymargin=60s
   rekeyfuzz=50%
   reauth=yes
   auto=add
   leftsendcert=ifasked

  'ipsec listcrls' output on gateway side:
   000
   000 List of X.509 CRLs:
   000
   000   issuer:   "C=de, ST=state, L=city, O=company, OU=sales,  
CN=sales ca, E=sales at company.de"
   000   revoked:   1 certificates
   000   distPts:  'file:///etc/ipsec.d/crls/sales_crl.pem'
   000   updates:   this Feb 23 13:31:38 2010
   000              next Feb 21 13:31:38 2020 ok
   000
   000   issuer:   "C=de, ST=state, L=city, O=company, OU=develop,  
CN=develop ca, E=dev at company.de"
   000   revoked:   0 certificates
   000   distPts:  'file:///etc/ipsec.d/crls/develop_crl.pem'
   000   updates:   this Jan 22 14:53:53 2010
   000              next Jan 20 14:53:53 2020 ok

   List of X.509 CRLs:

     issuer:   "C=de, ST=state, L=city, O=company, OU=sales, CN=sales  
ca, E=sales at company.de"
     revoked:   1 certificate
     updates:   this Feb 23 13:31:38 2010
                next Feb 21 13:31:38 2020, ok

     issuer:   "C=de, ST=state, L=city, O=company, OU=develop,  
CN=develop ca, E=dev at company.de"
     revoked:   0 certificates
     updates:   this Jan 22 14:53:53 2010
                next Jan 20 14:53:53 2020, ok

  log on gateway side (ikev2):
   s_local@(none) charon: 11[CFG] selected peer config '1'
   s_local@(none) charon: 11[CFG]   using certificate "C=de, ST=state,  
O=company, OU=sales, CN=cert 2, E=sales at company.de"
   s_local@(none) charon: 11[CFG]   using trusted ca certificate  
"C=de, ST=state, L=city, O=company, OU=sales, CN=sales ca,  
E=sales at company.de"
   s_local@(none) charon: 11[CFG] checking certificate status of  
"C=de, ST=state, O=company, OU=sales, CN=cert 2, E=sales at company.de"
   s_local@(none) charon: 11[CFG] certificate status is not available
   s_local@(none) charon: 11[CFG]   reached self-signed root ca with a  
path length of 0
   s_local@(none) charon: 11[IKE] authentication of 'C=de, ST=state,  
O=company, OU=sales, CN=cert 2, E=sales at company.de' with RSA signature  
successful

  log on gateway side (ikev1):
   "1"[1] 192.168.150.136 #3: responding to Main Mode from unknown  
peer 192.168.150.136
   "1"[1] 192.168.150.136 #3: Peer ID is ID_DER_ASN1_DN: 'C=de,  
ST=state, O=company, OU=sales, CN=cert 2, E=sales at company.de'
   "1"[1] 192.168.150.136 #3: certificate was revoked on Feb 23  
13:30:46 UTC 2010, reason: unspecified
   "1"[1] 192.168.150.136 #3: X.509 certificate rejected
   "1"[1] 192.168.150.136 #3: no public key known for 'C=de, ST=state,  
O=company, OU=sales, CN=cert 2, E=sales at company.de'
   "1"[1] 192.168.150.136 #3: sending encrypted notification  
INVALID_KEY_INFORMATION to 192.168.150.136:500

More information about the Users mailing list