[strongSwan] Revoking of own/local certificates and crlsign question

David Keane dkeane3000 at gmail.com
Fri Aug 4 00:54:19 CEST 2017 

Hi Noel,

Thank you for the reply. Regarding the crlSign bit, in our environment we
can only accept if it has been signed by a CA AND has the crlSIgn bit set.
I changed the line in the code to "if (!(x509->get_flags(x509) &
X509_CRL_SIGN))" but it just seem to get ignored even when the CA cert on
the peer doesnt have the crlSIgn set. Is there something else in the code
that I am missing?

Thanks,

David

On Mon, Jul 31, 2017 at 12:32 PM, David Keane <dkeane3000 at gmail.com> wrote:

> Hi all,
>
> My setup is as follows:
>
> Host 1 --> MyVPNGW --> PeerVPNGW --> Host 2
>
> MyVPNGW is also connected to a CA server that contains a CRL on
> /var/www/html/. I am using a RooT CA and an Intermediate CA certificate on
> each side with their relevant client certs
>
> I have a few questions that I need answers in relation to strongswan's
> revocation procedures that maybe you can help with. My 1st issue is that if
> I add MyVPNGW's certificate to the CRL marked as revoked and then initiate
> the tunnel from MyVPNGW also, I find that the tunnel will establish, with
> or without strict-crl-policy and the CRL embedded in the certificate
> appears to be ignored. The CRLDP is embedded in the certificate itself as
> follows:
>
> X509v3 CRL Distribution Points:
>
> Full Name:
>          URI:http://192.168.1.1/crl.der
>
> I can see in the logs that the CRL was fetched correctly:
>
> received end entity cert "XXXXXXXXX"
>   using certificate "XXXXXX"
>   using trusted intermediate ca certificate "XXXXXX"
> *checking certificate status of "CN=PeerVPNGW"*
>   fetching crl from 'http://192.168.1.1/crl.der' ...
>   using trusted ca certificate "XXXXXX"
>   reached self-signed root ca with a path length of 0
>   using trusted certificate "XXXXXXXXXX"
>   crl correctly signed by "XXXXXXXXXXX"
>   crl is valid: until Aug 11 23:27:53 2017
> certificate status is good
>   using trusted ca certificate "XXXXXXXXXXXX"
> *checking certificate status of "CN=intermediate_ca.test.com
> <http://intermediate_ca.test.com>"*
>   fetching crl from 'http://192.168.1.1/rootcrl.der' ...
>   using trusted certificate "XXXXXXXXXX"
>   crl correctly signed by "XXXXXXXXXXXXX"
>   crl is valid: until Aug 11 14:47:48 2017
> certificate status is good
>   reached self-signed root ca with a path length of 1
> authentication of 'XXXXXXXXX' with ECDSA_WITH_SHA384_DER successful
> IKE_SA testsa[1] established between X.X.X.X[XXXXX]...X.X.X.X[XXXXXX]
> scheduling reauthentication in 86370s
> maximum IKE_SA lifetime 86400s
> connection 'testsa' established successfully
>
> If I mark the PeerVPNGW cert as revoked, the connection fails and I can
> see in the IPSec logs that the certificate was revoked. I notice in the
> logs (see above) that it only seems to check the certificate status of the
> peer certs and not the local side, is that correct? Is there any way of
> getting strongswan to validate its local certificate against the CRL?
>
> My 2nd question is in relation CRLsign. My understanding of the standards
> is that the CRL should be ignored unless it was signed by a CA certificate
> that has the CRLsign bit set. I am finding that strongswan seems to ignore
> this. If I create a CRL from a certificate that doesnt have the CRLsign bit
> set and then revoke the PeerVPNGW cert, I find that that the connection
> fails as its seeing the PeerVPNGW cert as being revoked. I would have
> expected it to ignore the CRL as the CRLsign bit wasnt set and it shouldnt
> be recognised as a valid CRL. Just wondering what your opinions are on this?
>
> Thank you,
>
> David
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170803/444f9aaa/attachment.html>

More information about the Users mailing list