[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Tue Oct 25 15:38:18 UTC 2016
New commits:
commit e96061fd866d810fe657d273fe9513a54a4c7067
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Oct 25 11:37:24 2016 -0400
pluto: update man page for rereadcrls -> fetchcrls and update log message
commit 14cd8be6bd19731f07166906766f621cb196c68b
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Oct 25 11:35:23 2016 -0400
updated changes
commit bb502678ee6631f34018537802e9e0da3ec67b4b
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Oct 25 11:34:07 2016 -0400
X509: Don't attempt to fetch crl->uri for fetching when not present
commit ce0b347a10797fa0c3d7254b4d828a9a57ebdd94
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Oct 25 11:31:28 2016 -0400
testing: updated nss-cert-crl-* tests
Update tests to reflect load_crls() no longer happens and the
directory /etc/ipsec.d/crls is no longer in use
commit 492e773eac5f856d474d76dc617915e9d160a01a
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Oct 25 11:28:18 2016 -0400
testing: removal of obsoleted nss-cert-crl-02-fetch
the test would confirm a valid ipsec sa was established before
the CRL fetching prevented the revoked cert from being used.
But as of 3.19, on startup a fetch is launched, so now it just
always fails to establish (as tested in other CRL tests)
commit 39f94d901fa8cf7862f0d105fd6b86a19c2ac5e7
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Oct 25 01:04:28 2016 -0400
pluto: update CRL handling obsolete /etc/ipsec.d/crls
Before starting pluto, the service script checks if it needs to
convert from a legacy nss db to a new sql bassed nss db. If so,
then the crls from /etc/ipsec.d/crls are imported into nss.
CRL updated are supposed to go into the nss db directly (eg via
CRL fetching) and the _import_crl helper would write fetched
updates into that nss db on disk.
CRL fetching was changed a few versions ago, but we still had code
that would accept ipsec whack --rereadcrls, which would re-import the
crls from /etc/ipsec.d/crls/ into nss. This would overwrite any
CRLS from CRL fetching that had run since pluto start and could have
been newer then the locally stored CRL file.
ipsec whack --rereadcrls no longer makes sense, because CRLS become
updated automatically when they were fetched or when crlutil it used
externally by a sysadmin to push a new crl file into the nss db. So
this command has been obsoleted and now returns a warning.
A new whack --fetchcrls (alias ipsec crls or ipsec fetchcrls) has been
added. This command triggers an immediate fetch - instead of waiting
for the crlcheckinterval= specified in config setup in ipsec.conf.
A whack eror (RC_CRLERROR) is returned when fetching is disabled
and whack --fetchcrls is called.
This also fixes an error return of the initial CRL import on nss db
update in case there was a failure running certutil. (it would return
the error code of an echo line, which was always 0)
This commit also removes load_crls() and some functions call by it
that are no longer used. It was used to read the contents of the
/etc/ipsec.d/crls/ directory.
More information about the Swan-commit
mailing list