[strongSwan] Error handling issuingDistributionPoint (IDP) field in X.509 CRLs

Pruss Brian-ABP035 brian.pruss at motorolasolutions.com
Fri Jul 12 03:01:20 CEST 2013

We have a system in which StrongSwan is being used in a VPN Gateway, and uses X.509 CRLs to validate certificates from incoming Initiator connections. The CRLs are distributed by a Certificate Authority in our internal network, and are to be used by both the Gateway and road-warrior clients.

We've encountered a situation where StrongSwan is having problems handling an optional field in the X.509 CRL.

My group has an usage scenario where a remote Initiator (non-StrongSwan) will require a CRL with the issuingDistributionPoint  (IDP) field present for certain reasons. The IDP extension is not required by the relevant RFC (5280) to be supported in a conforming implementation. However, the RFC does state that the field must be marked Critical when used. Based on this, our Initiator will reject IDPs that are not marked Critical.

When we configured our CA to include the field, CRL handling started failing on our StrongSwan Gateway during Initiator authentication, and charon.log is showing the error pasted below.

00[ASN] critical 'issuingDistributionPoint' extension not supported
00[LIB] found unsupported critical X.509 CRL extension
00[LIB] building CRED_CERTIFICATE - X509_CRL failed, tried 4 builders
00[CFG]   loading crl from '/etc/ipsec.d/crls/IssuingCA.crl' failed

Is there any way to avoid this problem?  This is using StrongSwan 4.6.4.

Thanks in advance,

Brian Pruss
Motorola Solutions, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130712/3267d6b9/attachment.html>

More information about the Users mailing list