From bd46337cb0eb87e7fd807e209f4eddd52ed2730b Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Wed, 14 Mar 2007 15:42:40 +0000 Subject: [PATCH] added --- .../ikev2/ocsp-untrusted-cert/description.txt | 9 +++++++ .../tests/ikev2/ocsp-untrusted-cert/evaltest.dat | 5 ++++ .../ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf | 28 ++++++++++++++++++++++ .../ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf | 27 +++++++++++++++++++++ .../hosts/winnetou/etc/openssl/start-ocsp | 20 ++++++++++++++++ .../tests/ikev2/ocsp-untrusted-cert/posttest.dat | 3 +++ .../tests/ikev2/ocsp-untrusted-cert/pretest.dat | 5 ++++ testing/tests/ikev2/ocsp-untrusted-cert/test.conf | 21 ++++++++++++++++ 8 files changed, 118 insertions(+) create mode 100644 testing/tests/ikev2/ocsp-untrusted-cert/description.txt create mode 100644 testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat create mode 100755 testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf create mode 100755 testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/start-ocsp create mode 100644 testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat create mode 100644 testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat create mode 100644 testing/tests/ikev2/ocsp-untrusted-cert/test.conf diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/description.txt b/testing/tests/ikev2/ocsp-untrusted-cert/description.txt new file mode 100644 index 0000000..f581dd3 --- /dev/null +++ b/testing/tests/ikev2/ocsp-untrusted-cert/description.txt @@ -0,0 +1,9 @@ +By setting strictcrlpolicy=yes, a strict CRL policy is enforced on +both roadwarrior carol and gateway moon. The online certificate status +is checked via the OCSP server winnetou which is sending its self-signed +OCSP signer certificate. A strongswan ca section in ipsec.conf +defines an OCSP URI pointing to winnetou. +

+carol cannot successfully initiate an IPsec connection to moon since +the self-signed certificate contained in the OCSP response will not be +accepted by moon. diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat new file mode 100644 index 0000000..a0b6d68 --- /dev/null +++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat @@ -0,0 +1,5 @@ +moon::cat /var/log/daemon.log::received valid http response::YES +moon::cat /var/log/daemon.log::received ocsp signer certificate is not trusted - rejected::YES +moon::cat /var/log/daemon.log::certificate status unknown::YES +moon::ipsec status::rw.*ESTABLISHED::NO +carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf new file mode 100755 index 0000000..0209111 --- /dev/null +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +ca strongswan + cacert=strongswanCert.pem + ocspuri=http://ocsp.strongswan.org:8880 + auto=add + +conn %default + keyexchange=ikev2 + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf new file mode 100755 index 0000000..21b48ef --- /dev/null +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +ca strongswan-ca + cacert=strongswanCert.pem + ocspuri=http://ocsp.strongswan.org:8880 + auto=add + +conn %default + keyexchange=ikev2 + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/start-ocsp b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/start-ocsp new file mode 100755 index 0000000..7eff288 --- /dev/null +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/start-ocsp @@ -0,0 +1,20 @@ +#! /bin/sh +# start an OpenSSL-based OCSP server +# +# Copyright (C) 2004 Andreas Steffen +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: start-ocsp,v 1.3 2005/01/01 18:12:14 as Exp $ + +cd /etc/openssl +openssl ocsp -index index.txt -CA strongswanCert.pem -port 8880 -rkey ocspKey-self.pem -rsigner ocspCert-self.pem -nmin 5 < /dev/null > /dev/null 2>&1 & diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat new file mode 100644 index 0000000..117f625 --- /dev/null +++ b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat @@ -0,0 +1,3 @@ +moon::ipsec stop +carol::ipsec stop +winnetou::killall openssl diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat new file mode 100644 index 0000000..d5516fd --- /dev/null +++ b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat @@ -0,0 +1,5 @@ +winnetou::/etc/openssl/start-ocsp +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/test.conf b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf new file mode 100644 index 0000000..2b240d8 --- /dev/null +++ b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" -- 2.7.4