Feature #305
X509 CA store is not purged during 'ipsec rereadcacerts'
Description
Steps to reproduce:
1. Have 2 IPsec clients (A,B) configured to use own certificate, signed by different CA
2. Have this 2 CA in cacerts folder
3. Establish IPsec connection in roadwarrior scenario from client A
4. Remove CA that is used by client B from cacerts folder
5. Call 'ipsec rereadcacerts'
6. Try to connect client B
Expected result:
- It doesn't work, since his certificate is no longer trusted
Actual result:
- It works
- ipsec listcacerts still shows removed CA in the list
Note:
I don't want to stop and start ipsec, since I don't want to lose established connections (client A, other tunnels)
Associated revisions
History
#1 Updated by Andreas Steffen over 9 years ago
- Status changed from New to Feedback
Hi Tomas,
keeping the existing CA certs and loading new ones is the intended behaviour of ipsec rereadcacerts.
Regards
Andreas
#2 Updated by Tomas Chmelar over 9 years ago
Hi Andreas,
if it is the intended behaviour of ipsec rereadcacerts, is there any other option to purge loaded CA certificates in charon?
Will it break something, if non-existent CA would be cleared?
Thanks, Tomas Chmelar
#3 Updated by Andreas Steffen over 9 years ago
Hmm, it might be possible to define an ipsec purgecacerts command but which would cause a rupture of all connections starting a reauthentication until the ipsec rereadcacerts command would be executed.
#4 Updated by Andreas Steffen over 9 years ago
- Tracker changed from Bug to Feature
- Assignee set to Andreas Steffen
#5 Updated by Martin Willi over 7 years ago
- Category changed from configuration to libcharon
- Assignee changed from Andreas Steffen to Martin Willi
- Target version set to 5.3.0
- Resolution set to Fixed
With the referenced merge, "ipsec reread" removes any previously loaded CA certificates before reloading them from disk. I think this behavior is closer to what a user expects; closing the issue.
Regards
Martin
#6 Updated by Martin Willi over 7 years ago
- Status changed from Feedback to Closed
Merge branch 'stroke-purge-on-reread'
Remove all previously loaded certificates during "ipsec reread", finally
allowing the removal of CA certificates from a running daemon.
Fixes #842, #700, #305.