[strongSwan] CRL response with Strongswan 4

Fabrice Barconnière fabrice.barconniere at ac-dijon.fr
Mon Nov 26 13:29:38 CET 2012 

Hi Andreas,

Le 26/11/2012 12:44, Andreas Steffen a écrit :
> Hi Fabrice,
>
> can you fetch the CRLs manually e.g. using wget:
>
>    wget http://crl1.igc.education.fr/agriates.crl
>
>    wegt http://crl2.igc.education.fr/agriates.crl
Yes, i can.

openssl crl -inform DER -text -in agriates.crl returns this:
Certificate Revocation List (CRL):
         Version 2 (0x1)
         Signature Algorithm: sha1WithRSAEncryption
         Issuer: /C=fr/O=gouv/CN=RACINE AGRIATES
         Last Update: Nov 26 09:23:17 2012 GMT
         Next Update: Nov 26 16:23:18 2012 GMT
         CRL extensions:
             X509v3 Authority Key Identifier:
keyid:7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03

             X509v3 CRL Number:
                 14470
Revoked Certificates:
     Serial Number: 097D67CD63C754B80701B1F959C131
         Revocation Date: Jan 10 08:49:35 2008 GMT
         CRL entry extensions:
             Invalidity Date:
                 Jan 10 08:49:35 2008 GMT
     Serial Number: 017485A38327F1D92ADD7F37D4A263E5
         Revocation Date: Jul  4 08:20:17 2008 GMT
         CRL entry extensions:
             X509v3 CRL Reason Code:
                 Key Compromise
             Invalidity Date:
                 Jul  4 08:20:03 2008 GMT
     Serial Number: 02B99B8561BF369AD6E2BF8B212AB0A6
         Revocation Date: Jan  3 10:11:48 2011 GMT
         CRL entry extensions:
             Invalidity Date:
................
>
> If no then the webservers or the CRL files are not
> available or a firewall is blocking http port 80.
>
> If yes, has the the curl plugin been loaded by strongSwan?

Here what we can see in log file :
Nov 26 12:57:23 sphynxtestha1 charon: 00[CFG] loading crls from 
'/etc/ipsec.d/crls'
Nov 26 12:57:23 sphynxtestha1 charon: 00[CFG] loading secrets from 
'/etc/ipsec.secrets'
Nov 26 12:57:23 sphynxtestha1 charon: 00[CFG] expanding file expression 
'/var/lib/strongswan/ipsec.secrets.inc' failed
Nov 26 12:57:23 sphynxtestha1 charon: 00[KNL] listening on interfaces:
Nov 26 12:57:23 sphynxtestha1 charon: 00[KNL]   eth0
Nov 26 12:57:23 sphynxtestha1 charon: 00[KNL]     192.168.0.19
Nov 26 12:57:23 sphynxtestha1 charon: 00[KNL]     192.168.0.18
Nov 26 12:57:23 sphynxtestha1 charon: 00[KNL]   eth1
Nov 26 12:57:23 sphynxtestha1 charon: 00[KNL]     172.30.102.1
Nov 26 12:57:23 sphynxtestha1 charon: 00[KNL]   eth2
Nov 26 12:57:23 sphynxtestha1 charon: 00[KNL]     192.168.1.1
Nov 26 12:57:23 sphynxtestha1 charon: 00[CFG] starting HA heartbeat, 
delay 1000ms, timeout 2100ms
Nov 26 12:57:23 sphynxtestha1 charon: 00[DMN] loaded plugins: aes sha1 
sha2 hmac gmp random pubkey pem x509 revocation curl pkcs1 stroke sqlite 
sql updown kernel-netlink socket-raw ha
Nov 26 12:57:23 sphynxtestha1 charon: 00[JOB] spawning 16 worker threads
Nov 26 12:57:23 sphynxtestha1 charon: 09[JOB] start action: initiate 
'dmz-reseau10'
Nov 26 12:57:23 sphynxtestha1 charon: 10[CFG] crl caching to 
/etc/ipsec.d/crls enabled

It seems the curl plugin has been loaded.

The error message is in 
src/libstrongswan/plugins/revocation/revocation_validator.c (plugin 
validator ?)
         /* check CRL signature */
         if (!verify_crl(cand, auth))
         {
                 DBG1(DBG_CFG, "crl response verification failed");
                 cand->destroy(cand);
                 return best;
>
> Regards
>
> Andreas
>
> On 26.11.2012 12:31, Fabrice Barconnière wrote:
>> Hello,
>>
>> What can i verify with this CRL problem ?
>>
>> Nov 22 16:23:05 sphynxtestha1 charon: 15[IKE] received end entity cert
>> "C=fr, O=gouv, OU=education, OU=ac-dijon, CN=0210066H-15"
>> Nov 22 16:23:05 sphynxtestha1 charon: 15[CFG]   using certificate "C=fr,
>> O=gouv, OU=education, OU=ac-dijon, CN=0210066H-15"
>> Nov 22 16:23:05 sphynxtestha1 charon: 15[CFG]   using trusted ca
>> certificate "C=fr, O=gouv, CN=RACINE AGRIATES"
>> Nov 22 16:23:05 sphynxtestha1 charon: 15[CFG] checking certificate
>> status of "C=fr, O=gouv, OU=education, OU=ac-dijon, CN=0210066H-15"
>> Nov 22 16:23:05 sphynxtestha1 charon: 15[CFG]   fetching crl from
>> 'http://crl1.igc.education.fr/agriates.crl' ...
>> Nov 22 16:23:05 sphynxtestha1 charon: 15[CFG]   using trusted
>> certificate "C=fr, O=gouv, CN=RACINE AGRIATES"
>> Nov 22 16:23:05 sphynxtestha1 charon: 15[CFG] crl response verification
>> failed
>> Nov 22 16:23:05 sphynxtestha1 charon: 15[CFG]   fetching crl from
>> 'http://crl2.igc.education.fr/agriates.crl' ...
>> Nov 22 16:23:05 sphynxtestha1 charon: 15[CFG]   using trusted
>> certificate "C=fr, O=gouv, CN=RACINE AGRIATES"
>> Nov 22 16:23:05 sphynxtestha1 charon: 15[CFG] crl response verification
>> failed
>> Nov 22 16:23:05 sphynxtestha1 charon: 15[CFG] certificate status is not
>> available
>> Nov 22 16:23:05 sphynxtestha1 charon: 15[CFG]   reached self-signed root
>> ca with a path length of 0
>> Nov 22 16:23:05 sphynxtestha1 charon: 15[IKE] authentication of 'C=fr,
>> O=gouv, OU=education, OU=ac-dijon, CN=0210066H-15' with RSA signature
>> successful
>>
>


-- 
Cordialement,
Fabrice Barconnière
Equipe EOLE

More information about the Users mailing list