[strongSwan] Revoking of own/local certificates and crlsign question

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Aug 1 16:57:29 CEST 2017

Hello David,

strongSwan does not check its own certificate for revocation, because it does not improve security.
Users/Administrators are expected to rotate the certificates, if they are revoked or run out.
If the remote peer checks for revocation, it will reject the certificate anyway.

Regarding the second query, charon checks if CRLSign OR the CA bit is set[1], if the x509 plugin is used.
It seems it was forgotten to check the X509_CRLSign bit in the openssl plugin's issued_by method[2].
In the x509 plugin's, it is checked[1].

Going to "3.3. RevocatioN" in RFC5280[3], the following is stated:
" A CRL is a time-stamped list identifying revoked certificates that is signed by a CA or CRL issuer and made freely available in a public repository. "

As it explicitely mentions "or", I interpret this here as that either or both bits can be set.

Kind regards


[1] https://github.com/strongswan/strongswan/blob/master/src/libstrongswan/plugins/x509/x509_crl.c#L473
[2] https://github.com/strongswan/strongswan/blob/master/src/libstrongswan/plugins/openssl/openssl_crl.c#L262
[3] https://tools.ietf.org/html/rfc5280#section-3.3

On 31.07.2017 13:32, David Keane wrote:
> Hi all,
> My setup is as follows:
> Host 1 --> MyVPNGW --> PeerVPNGW --> Host 2
> MyVPNGW is also connected to a CA server that contains a CRL on /var/www/html/. I am using a RooT CA and an Intermediate CA certificate on each side with their relevant client certs
> I have a few questions that I need answers in relation to strongswan's revocation procedures that maybe you can help with. My 1st issue is that if I add MyVPNGW's certificate to the CRL marked as revoked and then initiate the tunnel from MyVPNGW also, I find that the tunnel will establish, with or without strict-crl-policy and the CRL embedded in the certificate appears to be ignored. The CRLDP is embedded in the certificate itself as follows:
> X509v3 CRL Distribution Points:
> Full Name:
>          URI:
> I can see in the logs that the CRL was fetched correctly:
> received end entity cert "XXXXXXXXX"
>   using certificate "XXXXXX"
>   using trusted intermediate ca certificate "XXXXXX"
> *checking certificate status of "CN=PeerVPNGW"*
>   fetching crl from '' ...
>   using trusted ca certificate "XXXXXX"
>   reached self-signed root ca with a path length of 0
>   using trusted certificate "XXXXXXXXXX"
>   crl correctly signed by "XXXXXXXXXXX"
>   crl is valid: until Aug 11 23:27:53 2017
> certificate status is good
>   using trusted ca certificate "XXXXXXXXXXXX"
> *checking certificate status of "CN=intermediate_ca.test.com <http://intermediate_ca.test.com>"*
>   fetching crl from '' ...
>   using trusted certificate "XXXXXXXXXX"
>   crl correctly signed by "XXXXXXXXXXXXX"
>   crl is valid: until Aug 11 14:47:48 2017
> certificate status is good
>   reached self-signed root ca with a path length of 1
> authentication of 'XXXXXXXXX' with ECDSA_WITH_SHA384_DER successful
> IKE_SA testsa[1] established between X.X.X.X[XXXXX]...X.X.X.X[XXXXXX]
> scheduling reauthentication in 86370s
> maximum IKE_SA lifetime 86400s
> connection 'testsa' established successfully
> If I mark the PeerVPNGW cert as revoked, the connection fails and I can see in the IPSec logs that the certificate was revoked. I notice in the logs (see above) that it only seems to check the certificate status of the peer certs and not the local side, is that correct? Is there any way of getting strongswan to validate its local certificate against the CRL?
> My 2nd question is in relation CRLsign. My understanding of the standards is that the CRL should be ignored unless it was signed by a CA certificate that has the CRLsign bit set. I am finding that strongswan seems to ignore this. If I create a CRL from a certificate that doesnt have the CRLsign bit set and then revoke the PeerVPNGW cert, I find that that the connection fails as its seeing the PeerVPNGW cert as being revoked. I would have expected it to ignore the CRL as the CRLsign bit wasnt set and it shouldnt be recognised as a valid CRL. Just wondering what your opinions are on this?
> Thank you,
> David

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170801/cf366905/attachment.sig>

More information about the Users mailing list