[strongSwan] strongSwan reuses stale OCSP responses
Ander Juaristi
a at juaristi.eus
Wed Nov 15 13:23:24 CET 2017
Hi,
I'm trying to set up a use case where user certificates are revoked
temporarily and then re-activated (think of a user being banned from
accessing the server at set times, according to a policy). So I've got
an OCSP server that returns either "good" or "revoked" responses
according to such policy.
Once my OCSP responder sends a "revoked" answer, strongSwan caches that
answer forever and reuses it over and over again even after it becoming
stale. I would expect strongSwan to query the OCSP responder again once
the cached response becomes stale, but it is not happening.
I don't want to be manually purging the OCSP cache with 'ipsec
purgeocsp'.
Is there a way to tell strongSwan to remove the expired responses
automatically?
This looks like the same use case that is described at [0].
Here [1] it says:
A valid OCSP response that revokes a particular certificate will be
used even if it is stale.
but it doesn't say why, specifically, why the response keeps on being
used even if certificateHold was specified as the revoke reason.
Thanks.
Details
=======
My OCSP responder is sending revoked responses with a certificateHold
(6) CRLReason, and a next update value of 1 minute later than the
current time:
Cert Status: revoked
Revocation Time: Nov 15 12:00:55 2017 GMT
Revocation Reason: certificateHold (0x6)
This Update: Nov 15 12:00:55 2017 GMT
Next Update: Nov 15 12:01:55 2017 GMT
According to the spec [2], the certificateHold CRLReason means a
certificate has been revoked temporarily:
The "revoked" state indicates that the certificate has been revoked,
either temporarily (the revocation reason is certificateHold) or
permanently.
I would expect strongSwan to query the OCSP responder again when the
time expires, but it's not happening so. It keeps on using cached OCSP
responses even though these are stale:
charon: 06[CFG] ocsp response correctly signed by "C=ES, ST=XXXX,
L=XXXX, O=XXXX, CN=ocsp.localhost"
charon: 06[CFG] certificate was revoked on Nov 15 12:00:55 UTC 2017,
reason: certificate hold
charon: 06[CFG] ocsp response is stale: since Nov 15 12:01:55 2017
charon: 06[CFG] using cached ocsp response
I can clearly verify, with 'ipsec listocsp' that the response is stale:
List of OCSP responses:
signer: "C=ES, ST=XXXX, L=XXXX, O=XXXX, CN=ocsp.localhost"
validity: produced at Nov 15 12:00:55 2017
usable till Nov 15 12:01:55 2017, expired (101 seconds
ago)
References
==========
[0] [strongSwan] OCSP and CRL -
https://lists.strongswan.org/pipermail/users/2015-December/009049.html
[1] Issue #1238 - https://wiki.strongswan.org/issues/1238
[2] RFC 6960 - https://tools.ietf.org/html/rfc6960#section-2.2
More information about the Users
mailing list