[strongSwan] Problems with CRLs

Sven Anders anders at anduras.de
Wed Aug 22 17:48:19 CEST 2018 

Hello!

We are experiencing two problems when using CRLs.
Our Linux systems runs strongSwan 5.6.2.


1) Because we want a hourly update of CRLs and the standard CRLs timeout
   is 7 days, we created a cronjob, that fetches the latest CRL every hour.

This CRL file is named:

  /etc/ipsec.d/crls/COMPANY-SUB-CA01.crl

For a test, I additionally enabled CRL caching, but this did not
make any difference:

charon {
    cache_crls = yes
}


Here is the problematic run:

  Aug 22 16:54:44 2101120420063 charon: 15510[CFG] rereading crls from '/etc/ipsec.d/crls'
  Aug 22 16:54:44 2101120420063 charon: 15510[CFG]   loaded crl from '/etc/ipsec.d/crls/0dff165cefbd2ddfb18f27e9215a4897b79f3008.crl'
  Aug 22 16:54:44 2101120420063 charon: 15510[LIB]   crl #75 is not newer - existing crl #75 retained
  Aug 22 16:54:44 2101120420063 charon: 15510[CFG]   loaded crl from '/etc/ipsec.d/crls/2d07eba139f0caad8a5ef7b87d542c46bbcd48ab.crl'
  Aug 22 16:54:44 2101120420063 charon: 15510[LIB]   crl #02 is not newer - existing crl #02 retained
  Aug 22 16:54:44 2101120420063 charon: 15510[CFG]   loaded crl from '/etc/ipsec.d/crls/48db6c1436fcdce1dc14b91619344b669e4dee6c.crl'
  Aug 22 16:54:44 2101120420063 charon: 15510[LIB]   crl #01:62:32 is not newer - existing crl #01:62:32 retained
  Aug 22 16:54:44 2101120420063 charon: 15510[CFG]   loaded crl from '/etc/ipsec.d/crls/COMPANY-SUB-CA01.crl'
  Aug 22 16:54:44 2101120420063 charon: 15510[LIB]   crl #77 is newer - existing crl #75 replaced

As you can see here, the manually updated CRL is newer (#77) and strongSwan
replaces the old one (#75) by this new version. This seems to be correct.

In the new (#77) CRL I have the following entry:

  Serial Number: 2500000075E60D6340C615C22D000100000075
         Revocation Date: Aug 22 16:49:00 2018 GMT
         CRL entry extensions:
             X509v3 CRL Reason Code:
                 Certificate Hold

Now, if I try to connect, I get the following output and the user is accepted.
But this is wrong, because the certificate is on hold!

  Aug 22 16:54:53 2101120420063 charon: 15504[CFG]   crl is valid: until Aug 30 04:58:47 2018
  Aug 22 16:54:53 2101120420063 charon: 15504[CFG]   using cached crl
  Aug 22 16:54:53 2101120420063 charon: 15504[CFG]   fetching crl from 'http://ca.company-group.local/CertEnroll/COMPANY-SUB-CA01+.crl' ...
  Aug 22 16:54:53 2101120420063 charon: 15504[LIB]   sending request to 'http://ca.company-group.local/CertEnroll/COMPANY-SUB-CA01+.crl'...
  Aug 22 16:54:53 2101120420063 charon: 15504[CFG]   fetching crl from 'http://ca.COMPANY.net/CertEnroll/COMPANY-SUB-CA01+.crl' ...
  Aug 22 16:54:53 2101120420063 charon: 15504[LIB]   sending request to 'http://ca.COMPANY.net/CertEnroll/COMPANY-SUB-CA01+.crl'...
  Aug 22 16:54:53 2101120420063 charon: 15504[LIB] libcurl request failed [60]: SSL certificate problem, verify that the CA cert is OK. Details:
  Aug 22 16:54:53 2101120420063 charon: 15504[LIB] error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  Aug 22 16:54:53 2101120420063 charon: 15504[CFG] crl fetching failed
  Aug 22 16:54:53 2101120420063 charon: 15504[CFG] certificate status is good
  Aug 22 16:54:53 2101120420063 charon: 15504[CFG]   certificate "DC=local, DC=company-group, CN=COMPANY-SUB-CA01" key: 4096 bit RSA
  Aug 22 16:54:53 2101120420063 charon: 15504[CFG]   using trusted ca certificate "CN=COMPANY-ROOT-CA01"
  Aug 22 16:54:53 2101120420063 charon: 15504[CFG] checking certificate status of "DC=local, DC=company-group, CN=COMPANY-SUB-CA01"
  Aug 22 16:54:53 2101120420063 charon: 15504[CFG] ocsp check skipped, no ocsp found
  Aug 22 16:54:53 2101120420063 charon: 15504[CFG]   using trusted certificate "CN=COMPANY-ROOT-CA01"
  Aug 22 16:54:53 2101120420063 charon: 15504[CFG]   crl correctly signed by "CN=COMPANY-ROOT-CA01"
  Aug 22 16:54:53 2101120420063 charon: 15504[CFG]   crl is valid: until Jun 05 21:52:45 2028
  Aug 22 16:54:53 2101120420063 charon: 15504[CFG]   using cached crl
  Aug 22 16:54:53 2101120420063 charon: 15504[CFG] certificate status is good
  Aug 22 16:54:53 2101120420063 charon: 15504[CFG]   certificate "CN=COMPANY-ROOT-CA01" key: 4096 bit RSA
  Aug 22 16:54:53 2101120420063 charon: 15504[CFG]   reached self-signed root ca with a path length of 1
  Aug 22 16:54:53 2101120420063 charon: 15504[IKE] authentication of 'testuser at COMPANY.de' with RSA signature successful

If I restart strongSwan the user is denied correctly:

  certificate was revoked on Aug 22 16:52:00 UTC 2018, reason: certificate hold

Where is my fault and can somebody explain it?


2) And we have another problem with delta CRLs:

As I understand strongSwan is supporting delta CRLs. The following line in the logfile
shows, that strongSwan correctly fetches the (delta) CRL:

  Aug 22 16:00:53 2101120420063 charon: 30400[CFG]   fetching crl from 'http://ca.company-group.local/CertEnroll/COMPANY-SUB-CA01+.crl' ...

And the delta CRL has an entry with reason "remove from crl" in it.

  Aug 22 16:01:43 2101120420063 charon: 30400[CFG]   using trusted certificate "DC=local, DC=company-group, CN=COMPANY-SUB-CA01"
  Aug 22 16:01:43 2101120420063 charon: 30400[CFG]   crl correctly signed by "DC=local, DC=company-group, CN=COMPANY-SUB-CA01"
  Aug 22 16:01:43 2101120420063 charon: 30400[CFG]   crl is valid: until Aug 29 04:02:43 2018
  Aug 22 16:01:43 2101120420063 charon: 30400[CFG]   using cached crl
  Aug 22 16:01:43 2101120420063 charon: 30400[CFG]   certificate "DC=local, DC=company-group, CN=COMPANY-SUB-CA01" key: 4096 bit RSA
  Aug 22 16:01:43 2101120420063 charon: 30400[CFG]   using trusted ca certificate "CN=COMPANY-ROOT-CA01"
  Aug 22 16:01:43 2101120420063 charon: 30400[CFG]   certificate "CN=COMPANY-ROOT-CA01" key: 4096 bit RSA
  Aug 22 16:01:43 2101120420063 charon: 30400[CFG]   reached self-signed root ca with a path length of 0
  Aug 22 16:01:43 2101120420063 charon: 30400[CFG]   using trusted certificate "DC=local, DC=company-group, CN=COMPANY-SUB-CA01"
  Aug 22 16:01:43 2101120420063 charon: 30400[CFG]   crl correctly signed by "DC=local, DC=company-group, CN=COMPANY-SUB-CA01"
  Aug 22 16:01:43 2101120420063 charon: 30400[CFG]   crl is valid: until Aug 24 04:11:38 2018
  Aug 22 16:01:43 2101120420063 charon: 30400[CFG] certificate was revoked on Aug 22 14:01:35 UTC 2018, reason: remove from crl
  Aug 22 16:01:43 2101120420063 charon: 30400[CFG]   using cached crl
  Aug 22 16:01:43 2101120420063 charon: 30400[IKE] no trusted RSA public key found for 'testuser at COMPANY.de'

But as you can see here, the user is denied.

What happened here? Is the (delta) reason "remove from crl" misinterpreted as an
revocation reason?

Regards
 Sven Anders

-- 
 Sven Anders <anders at anduras.de>                 () UTF-8 Ribbon Campaign
                                                 /\ Support plain text e-mail
 ANDURAS intranet security AG
 Messestrasse 3 - 94036 Passau - Germany
 Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55

Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety.
  - Benjamin Franklin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: anders.vcf
Type: text/x-vcard
Size: 339 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180822/251c23e7/attachment.vcf>

More information about the Users mailing list