Feature #305
X509 CA store is not purged during 'ipsec rereadcacerts'
Description
Steps to reproduce:
1. Have 2 IPsec clients (A,B) configured to use own certificate, signed by different CA
2. Have this 2 CA in cacerts folder
3. Establish IPsec connection in roadwarrior scenario from client A
4. Remove CA that is used by client B from cacerts folder
5. Call 'ipsec rereadcacerts'
6. Try to connect client B
Expected result:
- It doesn't work, since his certificate is no longer trusted
Actual result:
- It works
- ipsec listcacerts still shows removed CA in the list
Note:
I don't want to stop and start ipsec, since I don't want to lose established connections (client A, other tunnels)
History
#1 Updated by Andreas Steffen over 12 years ago
- Status changed from New to Feedback
Hi Tomas,
keeping the existing CA certs and loading new ones is the intended behaviour of ipsec rereadcacerts.
Regards
Andreas
#2 Updated by Tomas Chmelar over 12 years ago
Hi Andreas,
if it is the intended behaviour of ipsec rereadcacerts, is there any other option to purge loaded CA certificates in charon?
Will it break something, if non-existent CA would be cleared?
Thanks, Tomas Chmelar
#3 Updated by Andreas Steffen over 12 years ago
Hmm, it might be possible to define an ipsec purgecacerts command but which would cause a rupture of all connections starting a reauthentication until the ipsec rereadcacerts command would be executed.
#4 Updated by Andreas Steffen over 12 years ago
- Tracker changed from Bug to Feature
- Assignee set to Andreas Steffen
#5 Updated by Martin Willi over 10 years ago
- Category changed from configuration to libcharon
- Assignee changed from Andreas Steffen to Martin Willi
- Target version set to 5.3.0
- Resolution set to Fixed
With the referenced merge, "ipsec reread" removes any previously loaded CA certificates before reloading them from disk. I think this behavior is closer to what a user expects; closing the issue.
Regards
Martin
#6 Updated by Martin Willi over 10 years ago
- Status changed from Feedback to Closed