[Swan-dev] please fix test nss-cert-crl-03-strict

Paul Wouters paul at nohats.ca
Mon Jul 23 19:58:31 UTC 2018

On Wed, 18 Jul 2018, D. Hugh Redelmeier wrote:

> This looks like an improvement compared with the reference logs.  Is it?
> testing/pluto/nss-cert-crl-03-strict failed west:output-different
> testing/pluto/nss-cert-crl-03-strict/OUTPUT/west.console.diff
> 108 "nss-cert-crl" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> -003 "nss-cert-crl" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
> -003 "nss-cert-crl" #1: received and ignored informational message
> -010 "nss-cert-crl" #1: STATE_MAIN_I3: retransmission; will wait 0.5 seconds for response
> 002 "nss-cert-crl" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east at testing.libreswan.org'

I think what is happening is that earlier on, we could have an expired
CRL and it would first reject the conn while refetching a new CRL and the
second attempt would work. But now pluto fetches updated CRLs on startup,
so this test no longer catched any old CRL in use. The fix is an impair
option to disable the startup CRL fetch.


More information about the Swan-dev mailing list