Emeric POUPON
2017-08-25 08:22:51 UTC
Hello,
Here is the situation:
- strongSwan 5.5.3
- a valid CRL is required (strictcrlpolicy = yes)
- the CRL used is expired
The problem is that our custom authorize hook is called (whith final = FALSE) even if the CRL is expired:
Aug 10 04:05:11 14[CFG] <MYCONN|1> crl correctly signed by "C=FR, ST=FR, L=VDA, O=TestIntInt, OU=Test, CN=External_IPSec1"
Aug 10 04:05:11 14[CFG] <MYCONN|1> crl is stale: since Aug 10 02:53:17 2017
...
Aug 10 04:05:11 14[CFG] <MYCONN|1> certificate policy 2.5.29.32.0 for 'C=FR, ST=FR, L=VDA, O=TestIntInt, OU=Test, CN=External_LongerInitiator1,ou=users,o=mycompany,dc=fr, E=***@TestInt.int' not allowed by trustchain, ignored
...
Aug 10 04:05:11 14[CFG] <MYCONN|1> certificate "C=FR, ST=FR, L=VDA, O=TestIntInt, OU=Test, CN=External_IPSec1" key: 2048 bit RSA
Aug 10 04:05:11 14[CFG] <MYCONN|1> reached self-signed root ca with a path length of 0
Aug 10 04:05:11 14[IKE] <MYCONN|1> authentication of 'C=FR, ST=FR, L=VDA, O=TestIntInt, OU=Test, CN=External_LongerInitiator1,ou=users,o=mycompany,dc=fr, E=***@TestInt.int' with RSA_EMSA_PKCS1_SHA2_256 successful
*** Authorization hook called here
Aug 10 04:05:11 14[CFG] <MYCONN|1> constraint check failed: RULE_CRL_VALIDATION is STALE, but requires at least GOOD
Aug 10 04:05:11 14[CFG] <MYCONN|1> selected peer config 'MYCONN' inacceptable: non-matching authentication done
It looks like the hook should not be called in that situation, in order to prevent useless external requests to check permissions.
As a workaround, how could we check the CRL validation status in our custom plugin during the authorize hook?
Regards,
Emeric
Here is the situation:
- strongSwan 5.5.3
- a valid CRL is required (strictcrlpolicy = yes)
- the CRL used is expired
The problem is that our custom authorize hook is called (whith final = FALSE) even if the CRL is expired:
Aug 10 04:05:11 14[CFG] <MYCONN|1> crl correctly signed by "C=FR, ST=FR, L=VDA, O=TestIntInt, OU=Test, CN=External_IPSec1"
Aug 10 04:05:11 14[CFG] <MYCONN|1> crl is stale: since Aug 10 02:53:17 2017
...
Aug 10 04:05:11 14[CFG] <MYCONN|1> certificate policy 2.5.29.32.0 for 'C=FR, ST=FR, L=VDA, O=TestIntInt, OU=Test, CN=External_LongerInitiator1,ou=users,o=mycompany,dc=fr, E=***@TestInt.int' not allowed by trustchain, ignored
...
Aug 10 04:05:11 14[CFG] <MYCONN|1> certificate "C=FR, ST=FR, L=VDA, O=TestIntInt, OU=Test, CN=External_IPSec1" key: 2048 bit RSA
Aug 10 04:05:11 14[CFG] <MYCONN|1> reached self-signed root ca with a path length of 0
Aug 10 04:05:11 14[IKE] <MYCONN|1> authentication of 'C=FR, ST=FR, L=VDA, O=TestIntInt, OU=Test, CN=External_LongerInitiator1,ou=users,o=mycompany,dc=fr, E=***@TestInt.int' with RSA_EMSA_PKCS1_SHA2_256 successful
*** Authorization hook called here
Aug 10 04:05:11 14[CFG] <MYCONN|1> constraint check failed: RULE_CRL_VALIDATION is STALE, but requires at least GOOD
Aug 10 04:05:11 14[CFG] <MYCONN|1> selected peer config 'MYCONN' inacceptable: non-matching authentication done
It looks like the hook should not be called in that situation, in order to prevent useless external requests to check permissions.
As a workaround, how could we check the CRL validation status in our custom plugin during the authorize hook?
Regards,
Emeric