[strongSwan] Deactivate certificate lifetime check / systime-fix plugin

Tobias Brunner tobias at strongswan.org
Tue Sep 26 10:56:43 CEST 2017


Hi Peter,

> But I see that the systime rechecking has no time limit. E.g. I just
> want to allow Strongswan to ignore the Cert-Lifetimes for about 10min.
> After that I want to recheck the certificat and close the connection if
> the system clock is still invalid. Is it possible to offer this?

Sure, see [1].

> The certificate lifetime is checked against local time at startup once,

No lifetimes are checked at startup.  Actually, strongSwan does not care
whether its own certificate has expired (or is valid at all for that
matter).

> and the remote peer checks my cert also with his local time every time a
> connection is associated or a reauth is done? ....So trying to
> connect with an outdated certificate (client or server side) is not
> possible even if the systime-fix plugin is activated?

As long as the plugin considers the system time invalid the lifetimes of
certificates are ignored, it doesn't matter whether they are expired or
not yet valid.  Once the system time is corrected (as determined by the
configured threshold), or the timeout is reached, the plugin will
recheck the lifetimes and reject any certificates that are not valid
according to the current system time.

> My second point is to allow to deactivate the lifetime check generally.
> Is this possible?

If you set a threshold in the future, and don't set an interval you
basically get that behavior.

Regards,
Tobias

[1]
https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/systime-fix-timeout


More information about the Users mailing list