Bug #33
ikev2/crl-revoked scenario broken
Description
it seems that changeset 3613 broke the crl-revoked scenario:
: 10[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
: 10[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
: 10[CFG] crl is trusted: good signature
: 10[CFG] fetched crl is valid
: 10[CFG] certificate was revoked on Dec 26 13:54:23 UTC 2004, reason: unspecified
: 10[CFG] fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
: 10[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
: 10[CFG] crl is trusted: good signature
: 10[CFG] fetched crl is valid
...
...repeated another 10 times
...
: 10[IKE] no trusted public key found for 'carol@strongswan.org'
: 10[AUD] authentication of 'carol@strongswan.org' with RSA signature failed
: 10[IKE] peer supports MOBIKE
: 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
History
#1 Updated by Martin Willi over 14 years ago
ikev2/ocsp-revoked scenario is broken in the same way, too
#2 Updated by Martin Willi over 14 years ago
- Status changed from New to Closed
- Affected version set to fixed
r3613 did not introduced new problems, but it fixed the check_certificate() return value. While the behavior was correct, the complete trustchain still got verified.
The refactored trustchain verification from r3622 should address this problem and abort whenever a revoked certificate is found.
Please confirm...