[strongSwan] revoke certification with out "ipsec restart"
Nimo
gnimozyu at gmail.com
Wed Sep 6 18:22:52 CEST 2017
Hi,
I'm trying to revoke Windows machine certificate. But it fails as below.
Could please someone help me ?
I made two machine certificate for Win-A, Win-B.
Windows is windows7 and I setup it based on
https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs.
strongSwan is 5.5.3 and ipsec.conf is below.
-------------------------------
conn win_client
left = %defaultroute
leftauth = pubkey
leftcert = serverCert.pem
leftsubnet = 0.0.0.0/0
leftid = @<test-server>
#
right = %any
rightsourceip = %pool
rightid = "C=XX, O=YYY, CN=*"
rightdns = 8.8.8.8,8.8.8.1,8.8.8.2
#
fragmentation = yes
keyexchange = ikev2
ike = aes256-sha1-modp1024!
esp = aes256-sha1!
rekey = no
dpdaction = clear
dpddelay = 30s
dpdtimeout = 90s
auto = add
-------------------------------
Then, the both Windows7 is able to connect strongSwan.
I made revoke file for Win-A and put it in /etc/ipsec.d/crls/ as below.
--------------------
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=XX/O=YYY/CN=ZZZ CA
Last Update: Sep 6 02:04:02 2017 GMT
Next Update: Jan 7 02:04:02 2027 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:87:50:D9:C2:07:27:33:C1:8B:66:67:7E:CB:08:82:6C:03:9E:F0:F5
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 03
Revocation Date: Sep 6 02:04:02 2017 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Superseded
Signature Algorithm: sha256WithRSAEncryption
40:34:d4:42:54:d2:a7:79:64:ad:58:5c:9a:56:a3:93:95:b3:
b0:43:81:8d:b9:72:a4:cb:de:a3:9c:91:17:e6:6f:a4:62:94:
7f:5d:24:be:b7:8c:7b:32:55:bb:7c:8a:65:c8:05:6f:c4:3c:
e5:b9:a6:ff:3c:11:e0:24:ab:72:f1:cb:91:a1:db:a4:cf:e1:
43:4b:87:f9:36:39:92:7a:03:67:51:0d:9e:29:9f:48:6c:6c:
0c:87:02:44:ba:3f:b7:bd:ca:6c:d0:0e:80:5a:55:3c:cb:26:
fe:8b:90:11:1a:d0:6f:73:77:cc:2a:db:29:14:9c:bd:c4:07:
cb:9c
----------------------
And I executed following command.
----------------------
ipsec rereadcrls
ipsec purgecrls
----------------------
Then Win-A failed to connect strongSwan. But Win-B can connect strongSwan.
Next, I add revoke for Win-B, and put it in /etc/ipsec.d/crls/ as below.
----------------------
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=XX/O=YYY/CN=ZZZ CA
Last Update: Sep 6 07:09:48 2017 GMT
Next Update: Jan 7 07:09:48 2027 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:87:50:D9:C2:07:27:33:C1:8B:66:67:7E:CB:08:82:6C:03:9E:F0:F5
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 03
Revocation Date: Sep 6 07:04:35 2017 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Superseded
Serial Number: 04
Revocation Date: Sep 6 07:09:48 2017 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Superseded
Signature Algorithm: sha256WithRSAEncryption
08:66:99:63:28:9f:59:d4:c8:21:40:68:f0:c0:f2:6e:ca:20:
dc:d1:67:ff:9a:a8:90:48:5c:da:f2:02:a5:7a:9e:8e:1d:5f:
b8:a6:9b:b1:6e:31:f5:47:71:79:48:f1:ab:62:97:fe:24:16:
9c:f8:c1:97:74:fc:d9:b4:c2:c2:4f:1e:1c:d9:21:9f:ae:f2:
8e:52:47:33:8e:ec:1e:06:bf:06:69:24:a8:70:b6:d7:23:9e:
c8:96:fc:4b:ad:fa:d1:d3:95:f3:e2:2d:7a:4a:36:17:e7:ca:
37:fa:85:a7:85:21:3a:4b:b1:a0:9f:a5:2e:19:ef:0d:56:25:
36:4d
----------------------
And I executed following command again.
----------------------
ipsec rereadcrls
ipsec purgecrls
----------------------
Then, Win-A failed to connect strongSwan, and Win-B can connect strongSwan.
After that, I executed "ipsec restart". Both Win-A and Win-B failed to
connect strongSwan.
I don't want to use "ipsec restart" because other IPsec sessions are
disconnected.
How can I make enabled the revocation without disconnecting other's IPsec
session ?
regards,
---
takumi kadode
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170907/092288e4/attachment.html>
More information about the Users
mailing list