[Swan] Current state of CRL handling?

Paul Wouters paul at nohats.ca
Tue Sep 13 16:19:17 UTC 2016

On Tue, 13 Sep 2016, Nels Lindquist wrote:

> Just wondering what the current state of CRL handling in LibreSWAN is?

It's fantastic. Let me tell you about CRL fetching. We do very well with
CRL fetching.  We're going to have the best CRL fetching and we are
going to make the browsers pay for them!

But seriously, there is one CRL fix going into 3.19 :)

pluto: iterate all X.509 certs and try to fetch their crls


> I'm running 3.18, and files in /etc/ipsec.d/crls seem to be detected and 
> imported by "ipsec auto --rereadcrls", but "ipsec auto --listcrls" shows 
> nothing:
>>  ipsec auto --rereadcrls
>>  002   loading crl file 'crl.pem' (1223 bytes)
>>  ipsec auto --listcrls
>>  000
>>  000 List of CRLs:

You do need to have a connection loaded with a certificate for the CRLs
to be loaded and visible.

> Attempts to import a CRL file into the NSS database using crlutil fail with 
> "crlutil: unable to import CRL: SEC_ERROR_CRL_INVALID: New CRL has an invalid 
> format."

We should still be reading CRLS from /etc/ipsec.d/crls if you place it
there, although that is legacy. Importing it should work, provided you
have the CA there as well I think.


More information about the Swan mailing list