Project

General

Profile

Issue #1237

CRL not validating correctly

Added by Kilian Krause almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
libstrongswan
Affected version:
5.2.1
Resolution:
Fixed

Description

Hi,

While setting up a strongswan with our certs, I do see in the logs:

05[TLS] received TLS peer certificate 'C=DE, L=Stuttgart, O=Universitaet Stuttgart, OU=NKS, CN=Kilian Krause'
05[TLS] received TLS intermediate certificate 'C=DE, L=Stuttgart, O=Universitaet Stuttgart, CN=Universitaet Stuttgart CA - G01, E='
05[TLS] received TLS intermediate certificate 'C=DE, O=DFN-Verein, OU=DFN-PKI, CN=DFN-Verein PCA Global - G01'
05[TLS] received TLS intermediate certificate 'C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2'
05[CFG] using certificate "C=DE, L=Stuttgart, O=Universitaet Stuttgart, OU=NKS, CN=Kilian Krause"
05[CFG] using trusted intermediate ca certificate "C=DE, L=Stuttgart, O=Universitaet Stuttgart, CN=Universitaet Stuttgart CA - G01, E="
05[CFG] checking certificate status of "C=DE, L=Stuttgart, O=Universitaet Stuttgart, OU=NKS, CN=Kilian Krause"
05[CFG] fetching crl from 'http://cdp1.pca.dfn.de/uni-stuttgart-ca/pub/crl/cacrl.crl' ...
05[CFG] using trusted intermediate ca certificate "C=DE, O=DFN-Verein, OU=DFN-PKI, CN=DFN-Verein PCA Global - G01"
05[CFG] policy 2.5.29.32.0 missing in issuing certificate 'C=DE, O=DFN-Verein, OU=DFN-PKI, CN=DFN-Verein PCA Global - G01'
05[CFG] crl response verification failed
05[CFG] fetching crl from 'http://cdp2.pca.dfn.de/uni-stuttgart-ca/pub/crl/cacrl.crl' ...
05[CFG] using trusted intermediate ca certificate "C=DE, O=DFN-Verein, OU=DFN-PKI, CN=DFN-Verein PCA Global - G01"
05[CFG] policy 2.5.29.32.0 missing in issuing certificate 'C=DE, O=DFN-Verein, OU=DFN-PKI, CN=DFN-Verein PCA Global - G01'
05[CFG] crl response verification failed
05[CFG] certificate status is not available

...

The missing policy is the "anyPolicy", according to https://tools.ietf.org/html/rfc5280

Why exactly is this OID policy part relevant and since a child CA cannot exceed its parent CA's policy the OID policy match should implicitly be defaulted to the parent OID policy (of course unless this is a root CA). Thus in our case, there is an implicit policy that's perfectly valid for what StrongSwan wants to check.

Is there any way to work around this and ensure a proper validation of the CA and CRL/OCSP for our use case?

TIA!
Kilian


Related issues

Related to Bug #453: constraints_validator's check_policy is too strictClosed

History

#1 Updated by Martin Willi almost 5 years ago

  • Status changed from New to Feedback

Hi,

Most likely updating to 5.2.2 fixes this issue, see #453.

Regards
Martin

#2 Updated by Kilian Krause almost 5 years ago

Upgrading to 5.3.5 (Debian stretch) does no longer show this error but reports some more "ignored" lines.

Thanks for the pointer!

#3 Updated by Tobias Brunner almost 5 years ago

  • Related to Bug #453: constraints_validator's check_policy is too strict added

#4 Updated by Tobias Brunner almost 5 years ago

  • Category set to libstrongswan
  • Status changed from Feedback to Closed
  • Assignee set to Martin Willi
  • Resolution set to Fixed

Also available in: Atom PDF