Hello! We are experiencing two problems when using CRLs. Our Linux systems runs strongSwan 5.6.2.
1) Because we want a hourly update of CRLs and the standard CRLs timeout
is 7 days, we created a cronjob, that fetches the latest CRL every hour.
This CRL file is named:
/etc/ipsec.d/crls/COMPANY-SUB-CA01.crl
For a test, I additionally enabled CRL caching, but this did not
make any difference:
charon {
cache_crls = yes
}
Here is the problematic run:
Aug 22 16:54:44 2101120420063 charon: 15510[CFG] rereading crls from
'/etc/ipsec.d/crls'
Aug 22 16:54:44 2101120420063 charon: 15510[CFG] loaded crl from
'/etc/ipsec.d/crls/0dff165cefbd2ddfb18f27e9215a4897b79f3008.crl'
Aug 22 16:54:44 2101120420063 charon: 15510[LIB] crl #75 is not newer -
existing crl #75 retained
Aug 22 16:54:44 2101120420063 charon: 15510[CFG] loaded crl from
'/etc/ipsec.d/crls/2d07eba139f0caad8a5ef7b87d542c46bbcd48ab.crl'
Aug 22 16:54:44 2101120420063 charon: 15510[LIB] crl #02 is not newer -
existing crl #02 retained
Aug 22 16:54:44 2101120420063 charon: 15510[CFG] loaded crl from
'/etc/ipsec.d/crls/48db6c1436fcdce1dc14b91619344b669e4dee6c.crl'
Aug 22 16:54:44 2101120420063 charon: 15510[LIB] crl #01:62:32 is not newer
- existing crl #01:62:32 retained
Aug 22 16:54:44 2101120420063 charon: 15510[CFG] loaded crl from
'/etc/ipsec.d/crls/COMPANY-SUB-CA01.crl'
Aug 22 16:54:44 2101120420063 charon: 15510[LIB] crl #77 is newer -
existing crl #75 replaced
As you can see here, the manually updated CRL is newer (#77) and strongSwan
replaces the old one (#75) by this new version. This seems to be correct.
In the new (#77) CRL I have the following entry:
Serial Number: 2500000075E60D6340C615C22D000100000075
Revocation Date: Aug 22 16:49:00 2018 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Certificate Hold
Now, if I try to connect, I get the following output and the user is accepted.
But this is wrong, because the certificate is on hold!
Aug 22 16:54:53 2101120420063 charon: 15504[CFG] crl is valid: until Aug 30
04:58:47 2018
Aug 22 16:54:53 2101120420063 charon: 15504[CFG] using cached crl
Aug 22 16:54:53 2101120420063 charon: 15504[CFG] fetching crl from
'http://ca.company-group.local/CertEnroll/COMPANY-SUB-CA01+.crl' ...
Aug 22 16:54:53 2101120420063 charon: 15504[LIB] sending request to
'http://ca.company-group.local/CertEnroll/COMPANY-SUB-CA01+.crl'...
Aug 22 16:54:53 2101120420063 charon: 15504[CFG] fetching crl from
'http://ca.COMPANY.net/CertEnroll/COMPANY-SUB-CA01+.crl' ...
Aug 22 16:54:53 2101120420063 charon: 15504[LIB] sending request to
'http://ca.COMPANY.net/CertEnroll/COMPANY-SUB-CA01+.crl'...
Aug 22 16:54:53 2101120420063 charon: 15504[LIB] libcurl request failed [60]:
SSL certificate problem, verify that the CA cert is OK. Details:
Aug 22 16:54:53 2101120420063 charon: 15504[LIB] error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Aug 22 16:54:53 2101120420063 charon: 15504[CFG] crl fetching failed
Aug 22 16:54:53 2101120420063 charon: 15504[CFG] certificate status is good
Aug 22 16:54:53 2101120420063 charon: 15504[CFG] certificate "DC=local,
DC=company-group, CN=COMPANY-SUB-CA01" key: 4096 bit RSA
Aug 22 16:54:53 2101120420063 charon: 15504[CFG] using trusted ca
certificate "CN=COMPANY-ROOT-CA01"
Aug 22 16:54:53 2101120420063 charon: 15504[CFG] checking certificate status
of "DC=local, DC=company-group, CN=COMPANY-SUB-CA01"
Aug 22 16:54:53 2101120420063 charon: 15504[CFG] ocsp check skipped, no ocsp
found
Aug 22 16:54:53 2101120420063 charon: 15504[CFG] using trusted certificate
"CN=COMPANY-ROOT-CA01"
Aug 22 16:54:53 2101120420063 charon: 15504[CFG] crl correctly signed by
"CN=COMPANY-ROOT-CA01"
Aug 22 16:54:53 2101120420063 charon: 15504[CFG] crl is valid: until Jun 05
21:52:45 2028
Aug 22 16:54:53 2101120420063 charon: 15504[CFG] using cached crl
Aug 22 16:54:53 2101120420063 charon: 15504[CFG] certificate status is good
Aug 22 16:54:53 2101120420063 charon: 15504[CFG] certificate
"CN=COMPANY-ROOT-CA01" key: 4096 bit RSA
Aug 22 16:54:53 2101120420063 charon: 15504[CFG] reached self-signed root
ca with a path length of 1
Aug 22 16:54:53 2101120420063 charon: 15504[IKE] authentication of
'testu...@company.de' with RSA signature successful
If I restart strongSwan the user is denied correctly:
certificate was revoked on Aug 22 16:52:00 UTC 2018, reason: certificate hold
Where is my fault and can somebody explain it?
2) And we have another problem with delta CRLs:
As I understand strongSwan is supporting delta CRLs. The following line in the
logfile
shows, that strongSwan correctly fetches the (delta) CRL:
Aug 22 16:00:53 2101120420063 charon: 30400[CFG] fetching crl from
'http://ca.company-group.local/CertEnroll/COMPANY-SUB-CA01+.crl' ...
And the delta CRL has an entry with reason "remove from crl" in it.
Aug 22 16:01:43 2101120420063 charon: 30400[CFG] using trusted certificate
"DC=local, DC=company-group, CN=COMPANY-SUB-CA01"
Aug 22 16:01:43 2101120420063 charon: 30400[CFG] crl correctly signed by
"DC=local, DC=company-group, CN=COMPANY-SUB-CA01"
Aug 22 16:01:43 2101120420063 charon: 30400[CFG] crl is valid: until Aug 29
04:02:43 2018
Aug 22 16:01:43 2101120420063 charon: 30400[CFG] using cached crl
Aug 22 16:01:43 2101120420063 charon: 30400[CFG] certificate "DC=local,
DC=company-group, CN=COMPANY-SUB-CA01" key: 4096 bit RSA
Aug 22 16:01:43 2101120420063 charon: 30400[CFG] using trusted ca
certificate "CN=COMPANY-ROOT-CA01"
Aug 22 16:01:43 2101120420063 charon: 30400[CFG] certificate
"CN=COMPANY-ROOT-CA01" key: 4096 bit RSA
Aug 22 16:01:43 2101120420063 charon: 30400[CFG] reached self-signed root
ca with a path length of 0
Aug 22 16:01:43 2101120420063 charon: 30400[CFG] using trusted certificate
"DC=local, DC=company-group, CN=COMPANY-SUB-CA01"
Aug 22 16:01:43 2101120420063 charon: 30400[CFG] crl correctly signed by
"DC=local, DC=company-group, CN=COMPANY-SUB-CA01"
Aug 22 16:01:43 2101120420063 charon: 30400[CFG] crl is valid: until Aug 24
04:11:38 2018
Aug 22 16:01:43 2101120420063 charon: 30400[CFG] certificate was revoked on
Aug 22 14:01:35 UTC 2018, reason: remove from crl
Aug 22 16:01:43 2101120420063 charon: 30400[CFG] using cached crl
Aug 22 16:01:43 2101120420063 charon: 30400[IKE] no trusted RSA public key
found for 'testu...@company.de'
But as you can see here, the user is denied.
What happened here? Is the (delta) reason "remove from crl" misinterpreted as an
revocation reason?
Regards
Sven Anders
--
Sven Anders <and...@anduras.de> () UTF-8 Ribbon Campaign
/\ Support plain text e-mail
ANDURAS intranet security AG
Messestrasse 3 - 94036 Passau - Germany
Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55
Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety.
- Benjamin Franklin
<<attachment: anders.vcf>>
