[Swan-dev] Libreswan library not taking CRLs from the certificate link.

Tuomo Soini tis at foobar.fi
Tue Dec 17 17:37:24 UTC 2019

On Tue, 17 Dec 2019 22:29:10 +0530
Utkarsh Kumar <utkarshkumar84 at gmail.com> wrote:

> Hi Everyone,
>          I have a application where I am establishing IPSEC connection
> between two linux machines using libreswan which is happening
> successfully.

Please, use swan@ lists in for usage issues like this.

> I have enabled strict crl check in config with interval of 60 sec.
>         crl-strict=yes
>         crlcheckinterval=1m

1m is all too often. Use something sensible like hours. CRL lifetimes
are days so you don't need to hammer crl distribution point every

> End Certificate:
> [image: Screen Shot 2019-12-17 at 10.23.45 PM.png]

Unfortunately this image didn't show what crypto library thinks about
crl distribution point. Also note you must be able to fetch that crl
without IPsec when IPsec is enabled - so distribution point must not be
behind your tunnel when you use strict crl checking. Or at least you
must make sure you can get tunnel up without strict checking to get crl
first time into nss database.

> But the CRL list is not updating automatically. In the logs I am
> seeing following error. Can anyone please help me with the solution
> here.

> Error:
> Dec 17 18:46:05: | *time to check crls
> Dec 17 18:46:05: | attempting to add a new CRL fetch request
> Dec 17 18:46:05: | could not find CRL URI ext -8157

CRL url must be in end certificate or issuer certificate. In either
case crl fetching happens - your (too big) picture didn't reveal the
true information about the certificate so it's quite hard to help. And
it must be fetchable without IPsec and with IPsec.

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>

More information about the Swan-dev mailing list