[Swan-dev] Libreswan library not taking CRLs from the certificate link.

Utkarsh Kumar utkarshkumar84 at gmail.com
Tue Dec 17 19:16:39 UTC 2019 

Hi Paul,
      Thanks for the response, yes my CA certificate doesn't have CRL
attribute but I check many other CA certificate and out of 10 for example ,
only one CA certificate had the CRL distribution point.


Hi Tuomo,
     Thanks for the reply. Here's the compressed version of image of end
certificate showing CRL.

[image: Screen Shot 2019-12-17 at 10.23.45 PM.jpg]


Yes, 1 minute is too frequent interval to check of CRL. It was to 1 minute
during debugging of this issue else it was set to 8h default value.

Also, my ipsec connection is restricted to SNMP ports so curl/wget on this
URL is happening fine during the ipsec connection.

Please do let me know if I can share any other essential information.

Regards,
Utkarsh.

On Tue, Dec 17, 2019 at 11:13 PM Tuomo Soini <tis at foobar.fi> wrote:

> On Tue, 17 Dec 2019 22:29:10 +0530
> Utkarsh Kumar <utkarshkumar84 at gmail.com> wrote:
>
> > Hi Everyone,
> >          I have a application where I am establishing IPSEC connection
> > between two linux machines using libreswan which is happening
> > successfully.
>
> Please, use swan@ lists in for usage issues like this.
>
> > I have enabled strict crl check in config with interval of 60 sec.
> >
> >         crl-strict=yes
> >         crlcheckinterval=1m
>
> 1m is all too often. Use something sensible like hours. CRL lifetimes
> are days so you don't need to hammer crl distribution point every
> minute.
>
> > End Certificate:
> > [image: Screen Shot 2019-12-17 at 10.23.45 PM.png]
>
> Unfortunately this image didn't show what crypto library thinks about
> crl distribution point. Also note you must be able to fetch that crl
> without IPsec when IPsec is enabled - so distribution point must not be
> behind your tunnel when you use strict crl checking. Or at least you
> must make sure you can get tunnel up without strict checking to get crl
> first time into nss database.
>
> > But the CRL list is not updating automatically. In the logs I am
> > seeing following error. Can anyone please help me with the solution
> > here.
>
> > Error:
> >
> > Dec 17 18:46:05: | *time to check crls
> > Dec 17 18:46:05: | attempting to add a new CRL fetch request
> > Dec 17 18:46:05: | could not find CRL URI ext -8157
>
> CRL url must be in end certificate or issuer certificate. In either
> case crl fetching happens - your (too big) picture didn't reveal the
> true information about the certificate so it's quite hard to help. And
> it must be fetchable without IPsec and with IPsec.
>
>
> --
> Tuomo Soini <tis at foobar.fi>
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <https://foobar.fi/>
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20191218/bfa7c9e5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2019-12-17 at 10.23.45 PM.jpg
Type: image/jpeg
Size: 45235 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20191218/bfa7c9e5/attachment-0001.jpg>

More information about the Swan-dev mailing list