IPSEC is not using CRL



  • Hi
    there is no possibility to revoke a cert for ipsec in the Certification Manager.
    If there is the entry "Revoked" in the row ipsec ignore these because of the missing CRL.

    Also deleting a valid Certificat without revoking it in a CRL ends up in a "hidden" but full function Cert.
    A CRL should be generate at the same time if a new CA is processed and no deleting of this CRL should be possible until you delete the CA.
    To set back to a valid state only revoked not removed cert should be able.

    My test to copying the internal generated CRL to /var/etc/'hashed-name-for-ca'.r0
    ends up with "CRL has expired"

    So please add also the option to set the lifetime (default same as CA ?) for the CRL and the possibility to use CRL in ipsec

    Thanks and best regards
    markus


  • Rebel Alliance Developer Netgate

    The IPsec code needs adjusted to add that in, but as you see it wasn't as easy as it is with OpenVPN. It takes some additional hoop jumping there to make it happen like racoon wants.

    Open a feature request on redmine.pfsense.org and if someone can code up a fix it'll make it in. It may be too late to add it and make sure it works for 2.0 though, it may have to wait for 2.1.



  • Hi
    The problem is i don't find where pfsense is store all certs and keys especial the CA key (and the description name) on the filesystem

    My workaround is with XCA, export all certs & key and then create a crl with lifetime 10 years and create/import to /var/etc/"hash-of-ca".r0 –> it work perfect.

    Same on the console do like:
    openssl ca -gencrl -crldays xxx -keyfile ca_key -cert ca_crt -out my_crl.pem
    ln -s -f my_crl.pem openssl crl -noout -hash -in my_crl.pem.r0

    regards max


  • Rebel Alliance Developer Netgate

    They aren't stored separately on the filesystem, they're stored in the config like all other settings.



  • Is there a script which is create and extracting the CA to the filesystem with the name "hash-of-ca".0 and if, what's the name/path of the script

    regards max


  • Rebel Alliance Developer Netgate

    No there is no script. If there was, we'd probably already have IPsec using it. The code you're after just doesn't exist yet. Someone will either have to write it or sponsor it (either with a bounty or requesting it be done via commercial support), or wait until someone else has enough time to get to it.



  • So how the hell does pfsense create the needing 'ca-hash-name'.0 file if i select the Cert for my ipsec config ?
    racoon is using this file 'ca-hash-name'.0 and also if available a crl with the name  'ca-hash-name'.r0
    There must be a helper for this..

    regards max


  • Rebel Alliance Developer Netgate

    It's in the code that writes out the racoon config. It's not a separate script.



  • So it is possible to write out the CRL (maybe with the same name) at the same time.
    Only the lifetime for the CRL should be extend.

    Do you know where is the code that write out that ?
    regards max


  • Rebel Alliance Developer Netgate

    The lifetime of the CRL is already handled in the GUI when making the CRL.

    Just writing out the CRL isn't enough though, because the GUI supports multiple CRLs per CA, and the hash-of-ca method only lets you have one, you can't just write them all out. The GUI will need a field to pick a CRL.

    But otherwise, yes, it can be written out then.

    As I said, it's possible, someone just needs to take the time to write the code, or sponsor the code.



  • Hi
    the lifetime is too short and should be setable :-)
    see first post:
    My test to copying the internal generated CRL to /var/etc/'hashed-name-for-ca'.r0
    ends up with "CRL has expired"


  • Rebel Alliance Developer Netgate

    And as I said, the lifetime is settable when you make the CRL in the GUI. If that isn't working there is another problem elsewhere. It works with OpenVPN so I'm not sure what racoon is complaining about. Feel free to research it more.


Locked