[strongSwan] strongSwan reuses stale OCSP responses

Wed, 15 Nov 2017 04:24:01 -0800 

Hi,
I'm trying to set up a use case where user certificates are revoked temporarily and then re-activated (think of a user being banned from accessing the server at set times, according to a policy). So I've got an OCSP server that returns either "good" or "revoked" responses according to such policy. 


Once my OCSP responder sends a "revoked" answer, strongSwan caches that 
answer forever and reuses it over and over again even after it becoming 
stale. I would expect strongSwan to query the OCSP responder again once 
the cached response becomes stale, but it is not happening.



I don't want to be manually purging the OCSP cache with 'ipsec 
purgeocsp'.



Is there a way to tell strongSwan to remove the expired responses 
automatically?


This looks like the same use case that is described at [0].

Here [1] it says:


    A valid OCSP response that revokes a particular certificate will be 
used even if it is stale.



but it doesn't say why, specifically, why the response keeps on being 
used even if certificateHold was specified as the revoke reason.


Thanks.

Details
=======


My OCSP responder is sending revoked responses with a certificateHold 
(6) CRLReason, and a next update value of 1 minute later than the 
current time:


    Cert Status: revoked
    Revocation Time: Nov 15 12:00:55 2017 GMT
    Revocation Reason: certificateHold (0x6)
    This Update: Nov 15 12:00:55 2017 GMT
    Next Update: Nov 15 12:01:55 2017 GMT


According to the spec [2], the certificateHold CRLReason means a 
certificate has been revoked temporarily:


    The "revoked" state indicates that the certificate has been revoked,
    either temporarily (the revocation reason is certificateHold) or
    permanently.


I would expect strongSwan to query the OCSP responder again when the 
time expires, but it's not happening so. It keeps on using cached OCSP 
responses even though these are stale:



    charon: 06[CFG]    ocsp response correctly signed by "C=ES, ST=XXXX, 
L=XXXX, O=XXXX, CN=ocsp.localhost"
    charon: 06[CFG] certificate was revoked on Nov 15 12:00:55 UTC 2017, 
reason: certificate hold

    charon: 06[CFG]   ocsp response is stale: since Nov 15 12:01:55 2017
    charon: 06[CFG]   using cached ocsp response

I can clearly verify, with 'ipsec listocsp' that the response is stale:

    List of OCSP responses:

      signer:   "C=ES, ST=XXXX, L=XXXX, O=XXXX, CN=ocsp.localhost"
      validity:  produced at Nov 15 12:00:55 2017

                 usable till Nov 15 12:01:55 2017, expired (101 seconds 
ago)


References
==========


[0] [strongSwan] OCSP and CRL - 
https://lists.strongswan.org/pipermail/users/2015-December/009049.html

[1] Issue #1238 - https://wiki.strongswan.org/issues/1238
[2] RFC 6960 - https://tools.ietf.org/html/rfc6960#section-2.2






















					Reply via email to