Bug #3273
Can't fetch CRL via HTTP on Android 9
Description
It seems that from the last update, strongSwan for Android does not fetch CRL anymore.
It worked fine before.
IKEv2 EAP (Username/Password) vpn type.
Options:
Use OCSP to check certificate: disabled
Use CRLs to check certificate: enabled
Use strict revocation checking: enabled
In log I see:
...
[CFG] fetching crl from 'http://www.example.com/xxxx/xxxxx/crl.txt' ...
[LIB] failed to fetch from 'http://www.example.com/xxxx/xxxxx/crl.txt'
[CFG] crl fetching failed
[CFG] certificate status is not available
...
When
Use strict revocation checking: disabled
then connection works fine.
System:
strongSwan 5.8.1, Android 9 - 00WW_6_19B/2019-10-01
Nokia 5/TA-1053
Associated revisions
History
#1 Updated by Tobias Brunner 2 months ago
- Tracker changed from Issue to Bug
- Subject changed from Can't fetch CRL to Can't fetch CRL via HTTP on Android 9
- Category set to android
- Status changed from New to Feedback
- Assignee set to Tobias Brunner
- Target version set to 5.8.2
It seems that from the last update, strongSwan for Android does not fetch CRL anymore.
Thanks for the report. Looks like this is due to a new restriction on Android 9 when using HttpURLConnection to connect via HTTP (as opposed to HTTPS). I've released a fixed version to the Play store.
#2 Updated by Tomas Beran 2 months ago
Thanks Tobias.
Installed new version from Play store and it works fine.
#3 Updated by Tobias Brunner 2 months ago
- Status changed from Feedback to Closed
- Resolution set to Fixed
android: Add networkSecurityConfig to fetch CLRs/OCSP via HTTP
Android 9 restricts this to only HTTPS by default.
Fixes #3273.