Project

General

Profile

Feature #305

X509 CA store is not purged during 'ipsec rereadcacerts'

Added by Tomas Chmelar about 8 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Martin Willi
Category:
libcharon
Target version:
5.3.0
Start date:
06.03.2013
Due date:
Estimated time:
Resolution:
Fixed

Description

Steps to reproduce:
1. Have 2 IPsec clients (A,B) configured to use own certificate, signed by different CA
2. Have this 2 CA in cacerts folder
3. Establish IPsec connection in roadwarrior scenario from client A
4. Remove CA that is used by client B from cacerts folder
5. Call 'ipsec rereadcacerts'
6. Try to connect client B

Expected result:
- It doesn't work, since his certificate is no longer trusted

Actual result:
- It works
- ipsec listcacerts still shows removed CA in the list

Note:
I don't want to stop and start ipsec, since I don't want to lose established connections (client A, other tunnels)

Associated revisions

Revision 1fd70254
Added by Martin Willi about 6 years ago

Merge branch 'stroke-purge-on-reread'

Remove all previously loaded certificates during "ipsec reread", finally
allowing the removal of CA certificates from a running daemon.

Fixes #842, #700, #305.

History

#1 Updated by Andreas Steffen about 8 years ago

  • Status changed from New to Feedback

Hi Tomas,
keeping the existing CA certs and loading new ones is the intended behaviour of ipsec rereadcacerts.

Regards

Andreas

#2 Updated by Tomas Chmelar about 8 years ago

Hi Andreas,
if it is the intended behaviour of ipsec rereadcacerts, is there any other option to purge loaded CA certificates in charon?
Will it break something, if non-existent CA would be cleared?

Thanks, Tomas Chmelar

#3 Updated by Andreas Steffen about 8 years ago

Hmm, it might be possible to define an ipsec purgecacerts command but which would cause a rupture of all connections starting a reauthentication until the ipsec rereadcacerts command would be executed.

#4 Updated by Andreas Steffen about 8 years ago

  • Tracker changed from Bug to Feature
  • Assignee set to Andreas Steffen

#5 Updated by Martin Willi about 6 years ago

  • Category changed from configuration to libcharon
  • Assignee changed from Andreas Steffen to Martin Willi
  • Target version set to 5.3.0
  • Resolution set to Fixed

With the referenced merge, "ipsec reread" removes any previously loaded CA certificates before reloading them from disk. I think this behavior is closer to what a user expects; closing the issue.

Regards
Martin

#6 Updated by Martin Willi about 6 years ago

  • Status changed from Feedback to Closed

Also available in: Atom PDF