Hi Markus,
what you describe is a known bug which was fixed with version 0.9.9
of the X.509 patch. Excerpt from the CHANGES file:
...
Version 0.9.9
-------------
- When Pluto wants to use an expired public key in the public key
cache in order to check a signature, then the expired key is now
deleted from the chained list and the setup of the connection is
prevented.
...
Kind regards
Andreas
Markus Koellner wrote:
> Hi,
> after some tests today, i'm sure i have a problem with checking
> of the validity of a certificate.
> I use Freeswan 1.94 + X.509Patch 0.9.7.
>
> I've tested the following situation:
>
> a client tries to connect to freeswan successfully because the
> cert is still valid as you can see here:
> Jun 22 10:33:58 vpngate03 Pluto[24044]: | not before : Jun 22
> 08:51:44 UTC 2001
> Jun 22 10:33:58 vpngate03 Pluto[24044]: | current time: Jun 22
> 08:33:58 UTC 2002
> Jun 22 10:33:58 vpngate03 Pluto[24044]: | not after : Jun 22
> 08:51:44 UTC 2002
> Jun 22 10:33:58 vpngate03 Pluto[24044]: | certificate is valid
> [...]
> Jun 22 10:33:58 vpngate03 Pluto[24044]: "hismkg-4713" 217.83.188.125 #9:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established
> [...]
> Jun 22 10:34:00 vpngate03 Pluto[24044]: "hismkg-4713" 217.83.188.125
> #10: STATE_QUICK_R2: IPsec SA established
>
>
> but then the cert expires and freeswan shows me that but
> the client can still work (full debug here:
> http://www.pinworks.de/cert_timing_connsuccess.txt )!
>
> Jun 22 11:02:17 vpngate03 Pluto[24044]: | not before : Jun 22 08:51:44
> UTC 2001
> Jun 22 11:02:17 vpngate03 Pluto[24044]: | current time: Jun 22 09:02:17
> UTC 2002
> Jun 22 11:02:17 vpngate03 Pluto[24044]: | not after : Jun 22 08:51:44
> UTC 2002
> Jun 22 11:02:17 vpngate03 Pluto[24044]: "hismkg-4713" 80.131.218.190
> #34: Certificate is invalid
> Jun 22 11:02:17 vpngate03 Pluto[24044]: "hismkg-4713" 80.131.218.190
> #34: Invalid X.509 certificate
> Jun 22 11:02:17 vpngate03 Pluto[24044]: "hismkg-4713" 80.131.218.190
> #34: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> [...]
> Jun 22 11:02:19 vpngate03 Pluto[24044]: "hismkg-4713" 80.131.218.190
> #35: STATE_QUICK_R2: IPsec SA established
>
>
> ...but when you restart freeswan now, the client-cert is still invalid
> (which is right) and freeswan denies access because no rsa key is known,
> which is correct (full debug here:
> http://www.pinworks.de/cert_timing_connfailed.txt ):
>
> Jun 22 11:03:45 vpngate03 Pluto[24893]: | not before : Jun 22 08:51:44
> UTC 2001
> Jun 22 11:03:45 vpngate03 Pluto[24893]: | current time: Jun 22 09:03:45
> UTC 2002
> Jun 22 11:03:45 vpngate03 Pluto[24893]: | not after : Jun 22 08:51:44
> UTC 2002
> Jun 22 11:03:45 vpngate03 Pluto[24893]: "hismkg-4713" 80.131.218.190 #1:
> Certificate is invalid
> Jun 22 11:03:45 vpngate03 Pluto[24893]: "hismkg-4713" 80.131.218.190 #1:
> Invalid X.509 certificate
> Jun 22 11:03:45 vpngate03 Pluto[24893]: "hismkg-4713" 80.131.218.190 #1:
> no RSA public key known for 'CN=4713-lang'
>
>
> Andreas, any ideas ?
> This is very strange...
>
> It seems that freeswan doesn't delete expired public keys
> from the key chain and still uses them once they where
> authenticated successfully.
>
>
> Bye
> Markus
>
>
> At 22:28 27.06.02, Andreas Steffen wrote:
>
>> Hi Markus,
>>
>> yes, the not-before and not-after dates are checked against the
>> local time on the FreeS/WAN host (actually the local time is
>> converted to UTC time before comparison). If the cert is not
>> valid yet or if the validity has expired then the certificate
>> and with it the public key is rejected. Since all public keys
>> are cached by Pluto (see ipsec auto --listpubkeys), the expiration
>> date of the public key which is equal to the not-after date
>> of the certificate it was extracted from, is checked shortly
>> before use. If the validity of the public key has expired then
>> it is deleted form the chained list of cached keys. Thus it
>> is not possible to use an expired public key.
>>
>> Hope this helps
>>
>> Andreas
>>
>> ======================================================================
>> Andreas Steffen e-mail: andreas.steffen_at_zhwin.ch
>> Zuercher Hochschule Winterthur home: http://www.zhwin.ch/~sna/
>> CH-8401 Winterthur (Switzerland) phone: +41 76 340 25 56
>> ===============================================================[ZHW]==
>>
>>
>> > -----Original Message-----
>> > From: Markus Koellner [mailto:smshomey_at_gmx.de]
>> > Sent: Donnerstag, 27. Juni 2002 22:13
>> > To: Users FreeSwan IPSec
>> > Cc: Andreas Steffen
>> > Subject: X509Patch0.9.7 checks validity of cert ?
>> >
>> >
>> > Hi,
>> > just a short question without a special example:
>> >
>> > I'm using the X509Patch0.9.7 and i would like to know
>> > whether the patch on the freeswan side checks the time
>> > and date field within the sent peer certificate
>> > during the negotiation ?
>> >
>> > I know that the serial number of the cert is checked
>> > against the crl list but is the date ( notbefore-,
>> > notafter-field ) of the cert checked against the local
>> > time on the freeswan side whether it is valid ?
>> >
>> > I'm talking about the peer cert sent during the negotiation,
>> > not freeswan's own certificate.
>> >
>> > Bye
>> > Markus
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zuerichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:23 CEST