How to accept an expired certificate from the remote peer?

[smanolache]

Hello,

I have a setup in which I'm the client and I try to setup a connection to the server. My configuration is pasted below. Everything worked fine until today when the certificate of the remote side expired. As it's Easter I guess nobody will fix it until Tuesday on the server side. So my question is how can I accept the expired certificate.

Here's my config:

config setup
        cachecrls=yes
        strictcrlpolicy=no
        uniqueids=yes

conn my_conn
        auto=add

        left=%any
        leftcert=my_cert.pem
        leftsubnet=192.168.1.0/24[17/1701]
        leftauth=pubkey

        right=%remote.example.com
        rightid=%any

        rightallowany=yes
        rightsendcert=never

        ike=3des-sha1-modp1024!
        keyexchange=ikev1
        dpdaction=none
        fragmentation=no
        type=transport
        ikelifetime=8h

        esp=3des-sha1

And here are the console messages when I run ipsec up my_conn:

initiating Main Mode IKE_SA my_conn[1] to 1.2.3.4
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.1.150[500] to 1.2.3.4[500] (152 bytes)
received packet: from 1.2.3.4[500] to 192.168.1.150[500] (124 bytes)
parsed ID_PROT response 0 [ SA V V ]
received NAT-T (RFC 3947) vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.1.150[500] to 1.2.3.4[500] (244 bytes)
received packet: from 1.2.3.4[500] to 192.168.1.150[500] (848 bytes)
parsed ID_PROT response 0 [ KE No CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: 0d:f0:64:e7:a8:f9:8d:d7:58:a7:19:5d:1d:e6:f3:09
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
received cert request for unknown ca 'C=...'
received cert request for unknown ca 'C=...'
received cert request for unknown ca 'C=...'
received cert request for unknown ca 'C=...'
received cert request for 'C=...'
local host is behind NAT, sending keep alives
authentication of 'CN=my_common_name' (myself) successful
sending end entity cert "CN=my_common_name"
generating ID_PROT request 0 [ ID CERT SIG ]
sending packet: from 192.168.1.150[4500] to 1.2.3.4[4500] (1916 bytes)
received packet: from 1.2.3.4[4500] to 192.168.1.150[4500] (1804 bytes)
parsed ID_PROT response 0 [ ID CERT SIG ]
received end entity cert "CN=remote_common_name"
  using certificate "CN=remote_common_name"
  using trusted intermediate ca certificate "C=..."
subject certificate invalid (valid from Oct 02 12:04:38 2020 to Apr 02 12:04:38 2021)
no trusted RSA public key found for 'CN=remote_common_name'
deleting IKE_SA my_conn[1] between 192.168.1.150[CN=my_common_name]...1.2.3.4[CN=remote_common_name]
sending DELETE for IKE_SA my_conn[1]
generating INFORMATIONAL_V1 request 2914278008 [ HASH D ]
sending packet: from 192.168.1.150[4500] to 1.2.3.4[4500] (84 bytes)
establishing connection 'my_conn' failed

Thank you,
Sorin

[Thermi]

You can try copying the peer's certificate to the server and specifying it in rightcert. I do not know if that circumvents authentication of the certificate or not though. Effectively, locally stored certificates are supposed to be trusted implicitely.

[smanolache]

Thanks for the answer. I've put the server certificate in /etc/ipsec.d/certs, the startup logs show loaded certificate "CN=remote_common_name" from 'remote_cert.pem', I've added the rightcert=remote_cert.pem directive, but I get the same lines in the console, even the using trusted intermediate ca certificate line.

I'm not sure that I've configured everything correctly. I would have expected that strongswan do not try to go up the trust chain, and the using trusted intermediate... seems to indicate that it does go up the trust chain.

What frustrates me is that I can connect from a Win10 machine and from an Android phone, so the software on those machines simply ignores the certificate's expiration.

[Thermi]

I see. Sorry it didn't work.