[strongSwan] Error handling issuingDistributionPoint (IDP) field in X.509 CRLs

Andreas Steffen andreas.steffen at strongswan.org
Fri Jul 12 09:10:44 CEST 2013 

Hello Brian,

the following patch makes strongSwan recognize the critical
issuingDistributionPoint CRL extension:

http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=126778679f9edc8ff2de38feddaf84759936939d

If you are currently stuck with strongSwan 4.6.4 then you can circumvent
the problem by setting

  libstrongswan {
    x509 {
      enforce_critical = no
    }
  }

in /etc/strongswan.conf which will cause unknown critical extensions
not to abort the parsing of X.509 certificates and CRLs.

Best Regards

Andreas

On 07/12/2013 03:01 AM, Pruss Brian-ABP035 wrote:
> We have a system in which StrongSwan is being used in a VPN Gateway, and
> uses X.509 CRLs to validate certificates from incoming Initiator
> connections. The CRLs are distributed by a Certificate Authority in our
> internal network, and are to be used by both the Gateway and
> road-warrior clients.
> 
>  
> 
> We’ve encountered a situation where StrongSwan is having problems
> handling an optional field in the X.509 CRL.
> 
>  
> 
> My group has an usage scenario where a remote Initiator (non-StrongSwan)
> will require a CRL with the issuingDistributionPoint  (IDP) field
> present for certain reasons. The IDP extension is not required by the
> relevant RFC (5280) to be supported in a conforming implementation.
> However, the RFC does state that the field must be marked Critical when
> used. Based on this, our Initiator will reject IDPs that are not marked
> Critical.
> 
>  
> 
> When we configured our CA to include the field, CRL handling started
> failing on our StrongSwan Gateway during Initiator authentication, and
> charon.log is showing the error pasted below.
> 
>  
> 
> 00[ASN] critical 'issuingDistributionPoint' extension not supported
> 
> 00[LIB] found unsupported critical X.509 CRL extension
> 
> 00[LIB] building CRED_CERTIFICATE - X509_CRL failed, tried 4 builders
> 
> 00[CFG]   loading crl from '/etc/ipsec.d/crls/IssuingCA.crl' failed
> 
>  
> 
> Is there any way to avoid this problem?  This is using StrongSwan 4.6.4.
> 
>  
> 
> Thanks in advance,
> 
>  
> 
> Brian Pruss
> 
> Motorola Solutions, Inc.
> 
>  
> 
>  
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130712/060ac2c0/attachment.bin>

More information about the Users mailing list