diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2015-10-27 17:34:50 +0100 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2016-03-10 11:07:15 +0100 |
| commit | f1cbacc5d1be01938f35d04dfad10e0ed441ce0f (patch) | |
| tree | 198122bc3c8982783874382481aa41f1682b1b5b /src/libcharon/encoding | |
| parent | 8ce78e43a4746ce4d3d107ef2ed2f4e13f1c9c8f (diff) | |
| download | strongswan-f1cbacc5d1be.tar.bz2 strongswan-f1cbacc5d1be.tar.xz | |
ikev2: Delay online revocation checks during make-before-break reauthentication
We do these checks after the SA is fully established.
When establishing an SA the responder is always able to install the
CHILD_SA created with the IKE_SA before the initiator can do so.
During make-before-break reauthentication this could cause traffic sent
by the responder to get dropped if the installation of the SA on the
initiator is delayed e.g. by OCSP/CRL checks.
In particular, if the OCSP/CRL URIs are reachable via IPsec tunnel (e.g.
with rightsubnet=0.0.0.0/0) the initiator is unable to reach them during
make-before-break reauthentication as it wouldn't be able to decrypt the
response that the responder sends using the new CHILD_SA.
By delaying the revocation checks until the make-before-break
reauthentication is completed we avoid the problems described above.
Since this only affects reauthentication, not the original IKE_SA, and the
delay until the checks are performed is usually not that long this
doesn't impose much of a reduction in the overall security.
Diffstat (limited to 'src/libcharon/encoding')
0 files changed, 0 insertions, 0 deletions