Project

General

Profile

Bug #3273

Can't fetch CRL via HTTP on Android 9

Added by Tomas Beran 26 days ago. Updated 25 days ago.

Status:
Closed
Priority:
Normal
Category:
android
Target version:
Start date:
Due date:
Estimated time:
Affected version:
5.8.1
Resolution:
Fixed

Description

It seems that from the last update, strongSwan for Android does not fetch CRL anymore.
It worked fine before.

IKEv2 EAP (Username/Password) vpn type.

Options:
Use OCSP to check certificate: disabled
Use CRLs to check certificate: enabled
Use strict revocation checking: enabled

In log I see:
...
[CFG] fetching crl from 'http://www.example.com/xxxx/xxxxx/crl.txt' ...
[LIB] failed to fetch from 'http://www.example.com/xxxx/xxxxx/crl.txt'
[CFG] crl fetching failed
[CFG] certificate status is not available
...

When
Use strict revocation checking: disabled

then connection works fine.

System:
strongSwan 5.8.1, Android 9 - 00WW_6_19B/2019-10-01
Nokia 5/TA-1053

Associated revisions

Revision 47c1e86a (diff)
Added by Tobias Brunner 25 days ago

android: Add networkSecurityConfig to fetch CLRs/OCSP via HTTP

Android 9 restricts this to only HTTPS by default.

Fixes #3273.

History

#1 Updated by Tobias Brunner 25 days ago

  • Tracker changed from Issue to Bug
  • Subject changed from Can't fetch CRL to Can't fetch CRL via HTTP on Android 9
  • Category set to android
  • Status changed from New to Feedback
  • Assignee set to Tobias Brunner
  • Target version set to 5.8.2

It seems that from the last update, strongSwan for Android does not fetch CRL anymore.

Thanks for the report. Looks like this is due to a new restriction on Android 9 when using HttpURLConnection to connect via HTTP (as opposed to HTTPS). I've released a fixed version to the Play store.

#2 Updated by Tomas Beran 25 days ago

Thanks Tobias.
Installed new version from Play store and it works fine.

#3 Updated by Tobias Brunner 25 days ago

  • Status changed from Feedback to Closed
  • Resolution set to Fixed

Also available in: Atom PDF