Re: [Users] is this a bug ? certificates are (not valid yet) but gateway is s till working.

From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Fri Oct 04 2002 - 17:49:38 CEST

No it is not a bug. When a X.509 certificate is loaded the
notBefore date is checked. If the validity is ok then assuming
that your are not playing "God" by turning back the time, the
notBefore condition will always remain valid. As a next step
the public key is extracted and stored together with the
notAfter date in the chained list that you can check with

   ipsec auto --listpubkeys

The certificates are then not used anymore since always the
cached public keys are used for authentication.

With certificates that you receive from your peer via the
IKE Main Mode protocol it is different. Here both the validity
of the peer certificate and the CA certificate is checked.
Only if all certificates are valid the peer public key is
extracted and put into the chained list of cached public keys.
But once this key is in the cache and you turn the time back,
the next time the cert comes along, it will be rejected but
the connection will still be renewed since authentication is
based on the cached public key.

So to make it short, the rule is:

The notBefore date does not have an influence once the
corresponding public key has been placed in the cache
after verification. And this is ok in my opinion as long
as you don't mess around with the fundamental law of causality.

Regards

Andreas

Ihsan Turkmen wrote:
> Andreas. Thats why I am asking if it is a bug. When you look at the most
> bottom of the output you will see the date command screen output as well.I
> mean, the date shows
>
> Wed Sep 4 16:26:44 EEST 2002
>
> when I check it...I realized these situation while trying to adjust the
> clock of the system. Untill then I was already connected to the system with
> Win2K / IPSec VPN.. I may have mistyped the date after the certs loaded, but
> if the certs are loaded earlier, than even if i misconfigured the date,
> certificates should not be accepted..
>
> Ihsan..
>
>
>
>
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen_at_strongsec.net]
> Sent: 04 Ekim 2002 Cuma 17:27
> To: Ihsan Turkmen
> Cc: 'users_at_lists.freeswan.org'
> Subject: Re: [Users] is this a bug ? certificates are (not valid yet)
> but gateway is s till working.
>
>
> Extremely strange!!! Your timestamp says that the certs were loaded
> Oct 03 14:09:17 2002 but the notBefore dates in September 2002 are
> not valid yet. What date does the "date" command show when you
> execute it right after ipsec auto --listall? Have you changed the
> date on purpose after starting Pluto?
>
> Regards
>
> Andreas
>
> Ihsan Turkmen wrote:
>
>>Hi!
>>The following command outout is received from a working FreeSWAN gateway.
>>This gateway is working as a CA at the same time.
>>How can you explain that the (not valid yet) certificates can be usefull
>
> in
>
>>this running gateway.
>>I can connect to this gateway both from another freeswan and win2k using
>>that CA.
>>
>>
>
> ============================================================================
>
>>==========================================
>>
>>List of User/Host Certificates:
>>000
>>000 Oct 03 14:09:17 2002, count: 2
>>000 subject: 'C=TR, ST=Istanbul, O=Yilmaz Trade and Cons. Co.,
>>OU=Export-Import, CN=Abdulkadir, E=ayilmaz_at_ifk.com.tr'
>>000 issuer: 'C=TR, ST=Istanbul, O=Turkmen Security Consultancy,
>>OU=Certificate Factory, CN=CATurk'
>>000 pubkey: 1024 RSA Key AwEAAeQXJ
>>000 validity: not before Sep 27 10:29:04 2002 fatal (not valid yet)
>>000 not after Sep 24 10:29:04 2012 ok
>>000 Oct 03 14:09:17 2002, count: 6
>>000 subject: 'C=TR, ST=Istanbul, O=Turkmen Security Consultancy,
>>CN=Caniko'
>>000 issuer: 'C=TR, ST=Istanbul, O=Turkmen Security Consultancy,
>>OU=Certificate Factory, CN=CATurk'
>>000 pubkey: 1024 RSA Key AwEAAc6co, has private key
>>000 validity: not before Sep 26 17:31:00 2002 fatal (not valid yet)
>>000 not after Sep 23 17:31:00 2012 ok
>>000 Oct 03 14:09:17 2002, count: 4
>>000 subject: 'C=TR, ST=Istanbul, O=Turkmen Security Consultancy,
>>CN=Ihsan Turkmen, E=iturkmen_at_ifk.com.tr'
>>000 issuer: 'C=TR, ST=Istanbul, O=Turkmen Security Consultancy,
>>OU=Certificate Factory, CN=CATurk'
>>000 pubkey: 1024 RSA Key AwEAAc0FW
>>000 validity: not before Oct 03 12:02:04 2002 fatal (not valid yet)
>>000 not after Sep 30 12:02:04 2012 ok
>>000
>>000 List of CA Certificates:
>>000
>>000 Oct 03 14:09:16 2002, count: 1
>>000 subject: 'C=TR, ST=Istanbul, O=Turkmen Security Consultancy,
>>OU=Certificate Factory, CN=CATurk'
>>000 issuer: 'C=TR, ST=Istanbul, O=Turkmen Security Consultancy,
>>OU=Certificate Factory, CN=CATurk'
>>000 pubkey: 1024 RSA Key AwEAAd5PQ
>>000 validity: not before Sep 20 14:54:10 2002 fatal (not valid yet)
>>000 not after May 29 14:54:10 2016 ok
>>000
>>
>
> ============================================================================
>
>>========================================
>>[root_at_Tuna ihsan]# date
>>Wed Sep 4 16:26:44 EEST 2002
>>[root_at_Tuna ihsan]#
>>_______________________________________________
>>Users mailing list
>>Users_at_lists.freeswan.org
>>http://lists.freeswan.org/mailman/listinfo/users
>
> 

-- 
======================================================================
Andreas Steffen                 e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH                  phone:  +41 76 340 25 56
Alter Zürichweg 20              home:   http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Sat Oct 05 2002 - 05:20:20 CEST