[Swan-commit] Changes to ref refs/heads/master

Paul Wouters paul at vault.libreswan.fi
Tue Oct 25 15:38:18 UTC 2016 

New commits:
commit e96061fd866d810fe657d273fe9513a54a4c7067
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Oct 25 11:37:24 2016 -0400

    pluto: update man page for rereadcrls -> fetchcrls and update log message

commit 14cd8be6bd19731f07166906766f621cb196c68b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Oct 25 11:35:23 2016 -0400

    updated changes

commit bb502678ee6631f34018537802e9e0da3ec67b4b
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Oct 25 11:34:07 2016 -0400

    X509: Don't attempt to fetch crl->uri for fetching when not present

commit ce0b347a10797fa0c3d7254b4d828a9a57ebdd94
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Oct 25 11:31:28 2016 -0400

    testing: updated nss-cert-crl-* tests
    
    Update tests to reflect load_crls() no longer happens and the
    directory /etc/ipsec.d/crls is no longer in use

commit 492e773eac5f856d474d76dc617915e9d160a01a
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Oct 25 11:28:18 2016 -0400

    testing: removal of obsoleted nss-cert-crl-02-fetch
    
    the test would confirm a valid ipsec sa was established before
    the CRL fetching prevented the revoked cert from being used.
    But as of 3.19, on startup a fetch is launched, so now it just
    always fails to establish (as tested in other CRL tests)

commit 39f94d901fa8cf7862f0d105fd6b86a19c2ac5e7
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Oct 25 01:04:28 2016 -0400

    pluto: update CRL handling obsolete /etc/ipsec.d/crls
    
    Before starting pluto, the service script checks if it needs to
    convert from a legacy nss db to a new sql bassed nss db. If so,
    then the crls from /etc/ipsec.d/crls are imported into nss.
    CRL updated are supposed to go into the nss db directly (eg via
    CRL fetching) and the _import_crl helper would write fetched
    updates into that nss db on disk.
    
    CRL fetching was changed a few versions ago, but we still had code
    that would accept ipsec whack --rereadcrls, which would re-import the
    crls from /etc/ipsec.d/crls/ into nss. This would overwrite any
    CRLS from CRL fetching that had run since pluto start and could have
    been newer then the locally stored CRL file.
    
    ipsec whack --rereadcrls no longer makes sense, because CRLS become
    updated automatically when they were fetched or when crlutil it used
    externally by a sysadmin to push a new crl file into the nss db. So
    this command has been obsoleted and now returns a warning.
    
    A new whack --fetchcrls (alias ipsec crls or ipsec fetchcrls) has been
    added. This command triggers an immediate fetch - instead of waiting
    for the crlcheckinterval= specified in config setup in ipsec.conf.
    
    A whack eror (RC_CRLERROR) is returned when fetching is disabled
    and whack --fetchcrls is called.
    
    This also fixes an error return of the initial CRL import on nss db
    update in case there was a failure running certutil. (it would return
    the error code of an echo line, which was always 0)
    
    This commit also removes load_crls() and some functions call by it
    that are no longer used. It was used to read the contents of the
    /etc/ipsec.d/crls/ directory.

More information about the Swan-commit mailing list