[Swan-dev] please fix test nss-cert-crl-03-strict
Andrew Cagney
andrew.cagney at gmail.com
Tue Jul 24 01:07:44 UTC 2018
On Mon, 23 Jul 2018 at 15:58, Paul Wouters <paul at nohats.ca> wrote:
>
> On Wed, 18 Jul 2018, D. Hugh Redelmeier wrote:
>
> > This looks like an improvement compared with the reference logs. Is it?
> >
> > testing/pluto/nss-cert-crl-03-strict failed west:output-different
> >
> > testing/pluto/nss-cert-crl-03-strict/OUTPUT/west.console.diff
> > 108 "nss-cert-crl" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> > -003 "nss-cert-crl" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
> > -003 "nss-cert-crl" #1: received and ignored informational message
> > -010 "nss-cert-crl" #1: STATE_MAIN_I3: retransmission; will wait 0.5 seconds for response
> > 002 "nss-cert-crl" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east at testing.libreswan.org'
>
> I think what is happening is that earlier on, we could have an expired
> CRL and it would first reject the conn while refetching a new CRL and the
> second attempt would work. But now pluto fetches updated CRLs on startup,
> so this test no longer catched any old CRL in use. The fix is an impair
> option to disable the startup CRL fetch.
The first crl fetch happens about 5 seconds after the event loop
starts - see init_fetch(). So it could also be racy.
Andrew
More information about the Swan-dev
mailing list