[strongSwan] OCSP and CRL problem

Gömöri Zoltán suf at freemail.hu
Wed Jul 27 15:05:56 CEST 2016 

Hi,I’ve problems with the certificate revocation check.
The system:
StrongSwan v5.3.5 on Ubuntu 16.06, the CA is an Active Directory Certificate Services Enterprise CA on Windows Server 2012 R2.
When I establish the connection from a Windows 10 client I see the following in the log regarding the revocation check:16[CFG] <GP-ANY-VPN|487> checking certificate status of "CN=XXXXXXXXXXX"
16[CFG] <GP-ANY-VPN|487>   requesting ocsp status from 'http://XXXXXXXXXX/ocsp' ...
16[ASN] <GP-ANY-VPN|487> L0 - OCSPResponse:
16[ASN] <GP-ANY-VPN|487> L1 - responseStatus:
16[ASN] <GP-ANY-VPN|487> => 1 bytes @ 0x7f33f8007944
16[ASN] <GP-ANY-VPN|487>    0: 06                                               .
16[LIB] <GP-ANY-VPN|487>   ocsp response status: unauthorized
16[LIB] <GP-ANY-VPN|487> building CRED_CERTIFICATE - X509_OCSP_RESPONSE failed, tried 2 builders
16[CFG] <GP-ANY-VPN|487> parsing ocsp response failed
16[CFG] <GP-ANY-VPN|487> ocsp check failed, fallback to crl
16[CFG] <GP-ANY-VPN|487>   fetching crl from 'ldap:///CN=XXXXXXXXX,CN=XXXXXXXXX,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=XXXXXXX,DC=XX?certificateRevocationList?base?objectClass=cRLDistributionPoint' ...
16[LIB] <GP-ANY-VPN|487> LDAP bind to 'ldap:///CN=XXXXXXXXX,CN=XXXXXXXXX,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=XXXXXXX,DC=XX?certificateRevocationList?base?objectClass=cRLDistributionPoint' failed: Can't contact LDAP server
16[CFG] <GP-ANY-VPN|487> crl fetching failed
16[CFG] <GP-ANY-VPN|487> certificate status is not available
Problem 1: OCSP Unauthorized
Unfortunately I’m not an expert in this Base64 / ASN.1 system used in the OCSP request. I see the following in the IIS log:2016-07-27 09:35:31 172.16.4.13 GET /ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSpFRoRLl4rcMKsoKQ2skpbAsaTMQQU9mmkRYx+H3QQpHLJYudaoIzrshgCEy8AAAACRdcD5m18LmcAAAAAAAI= - 81 - 172.16.4.13 Microsoft-CryptoAPI/6.1 - 200 0 0 0I tried to decode the request manuallyI got back the following:30 54
  30 52
    30 50
      30 4E
        30 4C
          30 09
            06 05 2B0E03021A (OBJECT IDENTIFIER 1.3.14.3.2.26 - SHA1 Hash OID)
            05 00 
          04 14 A9151A112E5E2B70C2ACA0A436B24A5B02C69331
          04 14 F669A4458C7E1F7410A472C962E75AA08CEBB218 - (this is the Authority key identifier in my cert)
          02 13 2F0000000245D703E66D7C2E67000000000002 - (this should be the serial number of my cert) According to the strongswan log (and this can be seen in the certificate on the Windows also):16[ASN] <GP-ANY-VPN|487> L2 - serialNumber:
16[ASN] <GP-ANY-VPN|487> => 19 bytes @ 0x7f33f800261f
16[ASN] <GP-ANY-VPN|487>    0: 2F 00 00 00 08 EC 3A 31 9D AA 10 F8 43 00 00 00  /.....:1....C...
16[ASN] <GP-ANY-VPN|487>   16: 00 00 08                                         ...The serial number of the certificate and the serial number in the OCSP request is different. It looks like a bug to me.
BTW. I don’t understand why the OCSP request’s row data isn’t getting logged with “asn 4” loglevel.  Problem 2: CRL validation
It is normal here that the LDAP validation is failing as the linux has no access to the LDAP server. On the other side, the the CDP attribute of the certificate also contains HTTP uri for the CRL. It is possible to configure in the strongswan, to try not just the first CDP, or I’ve no other option than, to remove the LDAP path from the CDP attribute? Thank you,
SUF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160727/6ca38674/attachment.html>

More information about the Users mailing list