Hello, Here is the situation: - strongSwan 5.5.3 - a valid CRL is required (strictcrlpolicy = yes) - the CRL used is expired
The problem is that our custom authorize hook is called (whith final = FALSE) even if the CRL is expired: Aug 10 04:05:11 14[CFG] <MYCONN|1> crl correctly signed by "C=FR, ST=FR, L=VDA, O=TestIntInt, OU=Test, CN=External_IPSec1" Aug 10 04:05:11 14[CFG] <MYCONN|1> crl is stale: since Aug 10 02:53:17 2017 ... Aug 10 04:05:11 14[CFG] <MYCONN|1> certificate policy 2.5.29.32.0 for 'C=FR, ST=FR, L=VDA, O=TestIntInt, OU=Test, CN=External_LongerInitiator1,ou=users,o=mycompany,dc=fr, [email protected]' not allowed by trustchain, ignored ... Aug 10 04:05:11 14[CFG] <MYCONN|1> certificate "C=FR, ST=FR, L=VDA, O=TestIntInt, OU=Test, CN=External_IPSec1" key: 2048 bit RSA Aug 10 04:05:11 14[CFG] <MYCONN|1> reached self-signed root ca with a path length of 0 Aug 10 04:05:11 14[IKE] <MYCONN|1> authentication of 'C=FR, ST=FR, L=VDA, O=TestIntInt, OU=Test, CN=External_LongerInitiator1,ou=users,o=mycompany,dc=fr, [email protected]' with RSA_EMSA_PKCS1_SHA2_256 successful *** Authorization hook called here Aug 10 04:05:11 14[CFG] <MYCONN|1> constraint check failed: RULE_CRL_VALIDATION is STALE, but requires at least GOOD Aug 10 04:05:11 14[CFG] <MYCONN|1> selected peer config 'MYCONN' inacceptable: non-matching authentication done It looks like the hook should not be called in that situation, in order to prevent useless external requests to check permissions. As a workaround, how could we check the CRL validation status in our custom plugin during the authorize hook? Regards, Emeric
