Project

General

Profile

Issue #3500

swanctl --list-cert not listing all certs

Added by Andreas Martens about 1 month ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
swanctl
Affected version:
5.8.2
Resolution:

Description

Hello,

I have a system with 5 active ipsec Security Associations, each with a certificate-based / pubkey left and right auth.

To regularly check for revocation of certificates, I need to know the certificates used by the peers. After much digging I found that swanctl --list-certs would list them. All good!

Now after a few days I can only see a subset of the certificates (at time of writing, only the latest of the certs used, though earlier in the day it was showing two out of the five), a subset of the CAs and a subset of the CRLs.

Is there a reason for this? Could I get better results by building a full vici plugin?

It does mention that "curl SSL backend mbedTLS/2.16.3 not supported, https:// disabled" which I've assumed is unrelated.

thanks,
Andreas

History

#1 Updated by Tobias Brunner about 1 month ago

  • Status changed from New to Feedback

To regularly check for revocation of certificates, I need to know the certificates used by the peers.

You could force clients to reauthenticate (see ExpiryRekey) - although that does have some negative side-effects. And if you revoked a certificate you could also just manually kill any affected SAs based on the identity (although not that easily via swanctl, but e.g. via Python bindings). We also had some plans for a plugin that would dynamically monitor the revocation state of remote certificates, but the client backed out at the time.

Is there a reason for this?

The list-certs() command lists certificates provided by any credential set, mainly configured certificates but also from the validation cache, which can contain certificates of remote peers. However, the latter is e.g. cleared when credentials are (re-)loaded. So there is no guarantee that the command will return certificates of currently connected peers (in particular if the SA was created a while ago).

It's currently not possible to retrieve the certificates used by a specific SA via VICI, however, custom plugins can do so (and the old stroke interface also provided a command for it). There actually is even a method on ike_sa_t that can be used to re-validate a peer's certificate (source:src/libcharon/sa/ike_sa.c#L502), but that's not exposed via external APIs.

Could I get better results by building a full vici plugin?

What do you mean? If you mean a custom plugin, then that would allows you to retrieve peer certificates from any established IKE_SA (as long as charon.flush_auth_cfg is not enabled).

It does mention that "curl SSL backend mbedTLS/2.16.3 not supported, https:// disabled" which I've assumed is unrelated.

It is (I guess it could be added to the NSS/BoringSSL case here: source:src/libstrongswan/plugins/curl/curl_plugin.c#L59).

Also available in: Atom PDF