[strongSwan] strongSwan reuses stale OCSP responses

Ander Juaristi a at juaristi.eus
Wed Nov 15 16:30:21 CET 2017 

Well, looking at the source code (5.6.0 release tarball), the "offending 
line" is at revocation_validator.c:264:

	if (revoked)
	{	/* revoked always counts, even if stale */
		*valid = VALIDATION_REVOKED;
	}

So two questions now come to my mind:

1. What's the reason for this? I might well have missed some detail in 
the specs or maybe it's just a strongSwan-specific design decision. In 
either case (for my own education), what's that line there for?

2. I've seen the stale OCSP responses are deleted from the cache on a 
'ipsec restart'. Could you please point me to the piece of code where 
that cache purge is done?

Regards,
- AJ

El 2017-11-15 13:23, Ander Juaristi escribió:
> Hi,
> 
> I'm trying to set up a use case where user certificates are revoked
> temporarily and then re-activated (think of a user being banned from
> accessing the server at set times, according to a policy). So I've got
> an OCSP server that returns either "good" or "revoked" responses
> according to such policy.
> 
> Once my OCSP responder sends a "revoked" answer, strongSwan caches
> that answer forever and reuses it over and over again even after it
> becoming stale. I would expect strongSwan to query the OCSP responder
> again once the cached response becomes stale, but it is not happening.
> 
> I don't want to be manually purging the OCSP cache with 'ipsec 
> purgeocsp'.
> 
> Is there a way to tell strongSwan to remove the expired responses 
> automatically?
> 
> This looks like the same use case that is described at [0].
> 
> Here [1] it says:
> 
>     A valid OCSP response that revokes a particular certificate will
> be used even if it is stale.
> 
> but it doesn't say why, specifically, why the response keeps on being
> used even if certificateHold was specified as the revoke reason.
> 
> Thanks.
> 
> Details
> =======
> 
> My OCSP responder is sending revoked responses with a certificateHold
> (6) CRLReason, and a next update value of 1 minute later than the
> current time:
> 
>     Cert Status: revoked
>     Revocation Time: Nov 15 12:00:55 2017 GMT
>     Revocation Reason: certificateHold (0x6)
>     This Update: Nov 15 12:00:55 2017 GMT
>     Next Update: Nov 15 12:01:55 2017 GMT
> 
> According to the spec [2], the certificateHold CRLReason means a
> certificate has been revoked temporarily:
> 
>     The "revoked" state indicates that the certificate has been 
> revoked,
>     either temporarily (the revocation reason is certificateHold) or
>     permanently.
> 
> I would expect strongSwan to query the OCSP responder again when the
> time expires, but it's not happening so. It keeps on using cached OCSP
> responses even though these are stale:
> 
>     charon: 06[CFG]    ocsp response correctly signed by "C=ES,
> ST=XXXX, L=XXXX, O=XXXX, CN=ocsp.localhost"
>     charon: 06[CFG] certificate was revoked on Nov 15 12:00:55 UTC
> 2017, reason: certificate hold
>     charon: 06[CFG]   ocsp response is stale: since Nov 15 12:01:55 
> 2017
>     charon: 06[CFG]   using cached ocsp response
> 
> I can clearly verify, with 'ipsec listocsp' that the response is stale:
> 
>     List of OCSP responses:
> 
>       signer:   "C=ES, ST=XXXX, L=XXXX, O=XXXX, CN=ocsp.localhost"
>       validity:  produced at Nov 15 12:00:55 2017
>                  usable till Nov 15 12:01:55 2017, expired (101 seconds 
> ago)
> 
> References
> ==========
> 
> [0] [strongSwan] OCSP and CRL -
> https://lists.strongswan.org/pipermail/users/2015-December/009049.html
> [1] Issue #1238 - https://wiki.strongswan.org/issues/1238
> [2] RFC 6960 - https://tools.ietf.org/html/rfc6960#section-2.2

More information about the Users mailing list