[strongSwan] Revoking of own/local certificates and crlsign question

David Keane dkeane3000 at gmail.com
Mon Jul 31 13:32:33 CEST 2017 

Hi all,

My setup is as follows:

Host 1 --> MyVPNGW --> PeerVPNGW --> Host 2

MyVPNGW is also connected to a CA server that contains a CRL on
/var/www/html/. I am using a RooT CA and an Intermediate CA certificate on
each side with their relevant client certs

I have a few questions that I need answers in relation to strongswan's
revocation procedures that maybe you can help with. My 1st issue is that if
I add MyVPNGW's certificate to the CRL marked as revoked and then initiate
the tunnel from MyVPNGW also, I find that the tunnel will establish, with
or without strict-crl-policy and the CRL embedded in the certificate
appears to be ignored. The CRLDP is embedded in the certificate itself as
follows:

X509v3 CRL Distribution Points:

Full Name:
         URI:http://192.168.1.1/crl.der

I can see in the logs that the CRL was fetched correctly:

received end entity cert "XXXXXXXXX"
  using certificate "XXXXXX"
  using trusted intermediate ca certificate "XXXXXX"
*checking certificate status of "CN=PeerVPNGW"*
  fetching crl from 'http://192.168.1.1/crl.der' ...
  using trusted ca certificate "XXXXXX"
  reached self-signed root ca with a path length of 0
  using trusted certificate "XXXXXXXXXX"
  crl correctly signed by "XXXXXXXXXXX"
  crl is valid: until Aug 11 23:27:53 2017
certificate status is good
  using trusted ca certificate "XXXXXXXXXXXX"
*checking certificate status of "CN=intermediate_ca.test.com
<http://intermediate_ca.test.com>"*
  fetching crl from 'http://192.168.1.1/rootcrl.der' ...
  using trusted certificate "XXXXXXXXXX"
  crl correctly signed by "XXXXXXXXXXXXX"
  crl is valid: until Aug 11 14:47:48 2017
certificate status is good
  reached self-signed root ca with a path length of 1
authentication of 'XXXXXXXXX' with ECDSA_WITH_SHA384_DER successful
IKE_SA testsa[1] established between X.X.X.X[XXXXX]...X.X.X.X[XXXXXX]
scheduling reauthentication in 86370s
maximum IKE_SA lifetime 86400s
connection 'testsa' established successfully

If I mark the PeerVPNGW cert as revoked, the connection fails and I can see
in the IPSec logs that the certificate was revoked. I notice in the logs
(see above) that it only seems to check the certificate status of the peer
certs and not the local side, is that correct? Is there any way of getting
strongswan to validate its local certificate against the CRL?

My 2nd question is in relation CRLsign. My understanding of the standards
is that the CRL should be ignored unless it was signed by a CA certificate
that has the CRLsign bit set. I am finding that strongswan seems to ignore
this. If I create a CRL from a certificate that doesnt have the CRLsign bit
set and then revoke the PeerVPNGW cert, I find that that the connection
fails as its seeing the PeerVPNGW cert as being revoked. I would have
expected it to ignore the CRL as the CRLsign bit wasnt set and it shouldnt
be recognised as a valid CRL. Just wondering what your opinions are on this?

Thank you,

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170731/203ed877/attachment.html>

More information about the Users mailing list