systime-fix Plugin

Purpose

The systime-fix plugin for libcharon is designed for embedded systems that don’t have a valid system time just after boot. It detects if the system time is incorrect and disables certificate lifetime validation during this period. This allows the device to establish tunnels even if the system time is out of sync and for example connect to an NTP server.

Once the system time gets corrected, the plugin can detect it and verify the lifetimes of all certificates used for active tunnels. If any certificate in the trust-chain is not valid for the given system time, the tunnel gets either closed or reestablished.

The plugin is disabled by default and can be enabled with the ./configure option

--enable-systime-fix

Configuration

The systime-fix plugin is configured using the following options in the charon.plugins.systime-fix section of strongswan.conf:

Key Default Description

interval

0

Interval in seconds to check system time for validity. 0 disables the check

reauth

no

Whether to use reauth or delete if an invalid cert lifetime is detected

threshold

Threshold date where system time is considered valid. Disabled if not specified

threshold_format

%Y

strftime(3) format used to parse threshold option

timeout

0

How long to wait for a valid system time if an interval is configured. 0 to recheck indefinitely

Configuring a Threshold

Embedded systems often don’t have a valid system time after boot, but set it to a default time, such as January 1st 1970 or 2000. Once the system time gets adjusted (e.g. using NTP), the system time jumps to the current year.

By configuring a threshold the plugin can decide if the current system time is valid. If the boot up time is always year 2000 for this system, setting threshold = 2001 allows the plugin to detect corrected and valid system times reliably.

If a more accurate date format is required, the threshold_format option can be used to define any strptime(3) time format. The threshold option can then be configured to a valid date string for the custom format.

Periodical System Time Check

If an interval is configured, the plugin checks periodically if a system time got valid. If this happens, the certificate chains of all active connections get re-evaluated using the now valid system time.

The plugin can either close connections or reestablish them if an expired (or not yet valid) certificate is detected. To reauthenticate, set the reauth option to yes.

Once a valid system time is detected, system time polling is disabled completely. To stop waiting for a valid system time after a while and enforcing a certificate check, a timeout may be specified.