Comments (5)
Thanks for the report. The crash happens if the OCSP response status indicates an error because that skips the function that parses the responseBytes
ASN.1 structure, which is where responderId
is ensured to be set to at least ID_ANY. I've pushed a possible fix to the 2011-ocsp branch.
However, I wonder why the OCSP server doesn't like the request in the first place. One difference I can see is that the nonce is now 32 bytes long instead of 16. But that's just an ASN.1 OCTET STRING and RFC 6960 doesn't make any restrictions on the length (neither did RFC 2560). You could try if changing it back makes a difference:
from strongswan.
Thanks for the report. The crash happens if the OCSP response status indicates an error because that skips the function that parses the
responseBytes
ASN.1 structure, which is whereresponderId
is ensured to be set to at least ID_ANY. I've pushed a possible fix to the 2011-ocsp branch.
I can confirm that after applying the patch, the OCSP error is now handled gracefully by falling back to the certificate revocation list.
15[CFG] checking certificate status of "C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Certification Authority 2"
15[CFG] requesting ocsp status from 'http://ocsp0336.telesec.de/ocspr' ...
15[LIB] ocsp response status: malformed request
15[CFG] ocsp response verification failed, invalid signature
15[CFG] ocsp response verification failed, invalid signature
15[CFG] ocsp check failed, fallback to crl
15[CFG] fetching crl from 'http://pki0336.telesec.de/rl/TeleSec_GlobalRoot_Class_2.crl' ...
15[CFG] using trusted certificate "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2"
15[CFG] crl correctly signed by "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2"
15[CFG] crl is valid: until Apr 17 11:23:00 2024
15[CFG] certificate status is good
However, I wonder why the OCSP server doesn't like the request in the first place. One difference I can see is that the nonce is now 32 bytes long instead of 16. But that's just an ASN.1 OCTET STRING and RFC 6960 doesn't make any restrictions on the length (neither did RFC 2560). You could try if changing it back makes a difference:
Reverting the nonce length back to 16 bytes fixes the communication with the affected OCSP responder. But according to RFC 8954, newer clients must use a length of 32 bytes for the nonce, so strongSwan is not to blame here.
from strongswan.
Thanks for testing. I've force-pushed an alternative fix and some additional patches to the branch.
Reverting the nonce length back to 16 bytes fixes the communication with the affected OCSP responder. But according to RFC 8954, newer clients must use a length of 32 bytes for the nonce, so strongSwan is not to blame here.
True, but I wonder how many other server implementations are around that have a lower limit for nonces in OCSP requests. We could maybe add a setting to specify the nonce length. I've pushed a commit that does so to the same branch. In your case, you could set charon.ocsp_nonce_len
to 16 to use this particular OCSP server.
from strongswan.
I have successfully tested the alternative fix and the new configuration option.
from strongswan.
Great, thanks! I've pushed the changes to master and we'll probably release a new version soonish.
from strongswan.
Related Issues (20)
- android11 can't use "IKEv2/IPSec MSCHAPv2" to connect strongswanVPN server
- "<child>.local_ts" Dynamic acquisition of network card IP address HOT 2
- I used a tester to test VPN throughput and found that charon’s memory usage was high and was killed by the kernel. Is there any solution to limit memory usage? HOT 13
- Build of version 5.9.14 fails on alpine (musl) HOT 1
- ubuntu make error
- proposal_keywords.c is excluded by the .gitignore file HOT 2
- charon-nm: only a single CA cert file is loaded from "server certificate" file HOT 3
- add logger configuration for json output HOT 4
- Add support for the post-quantum ML-KEM KE algorithm in openssl plugin
- Routing regression between 5.9.8 (Debian Bookworm deb12u1) and 5.9.13 (Ubuntu 24.04 (2ubuntu4)) HOT 10
- libstrongswan rsa test getting hang sporadically with strongswan 5.9.6 HOT 2
- "Invalid ELF image for this architecture" error while running tests suite in strongswan HOT 1
- Confusing loading state in Battery Saver HOT 1
- "Invalid ELF image for this architecture" error while running tests suite in strongswan 5.8.4 version HOT 5
- Are there plans to adapt HarmonyOS in the future? HOT 2
- "printf_hooks" test failure in strongswan 5.9.13 version HOT 2
- Always list first usable address as base in the output of swanctl --list-pools command
- multiple subnet but only one establishing
- swanctl ignores load=no for plugins HOT 1
- "Stream tests and http fetcher tests" failing on strongswan 5.9.13 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from strongswan.