[Swan] Current state of CRL handling?
nlindq at maei.ca
Tue Sep 13 21:50:09 UTC 2016
On 2016/09/13 10:19 AM, Paul Wouters wrote:
> On Tue, 13 Sep 2016, Nels Lindquist wrote:
>> Just wondering what the current state of CRL handling in LibreSWAN is?
> It's fantastic. Let me tell you about CRL fetching. We do very well with
> CRL fetching. We're going to have the best CRL fetching and we are
> going to make the browsers pay for them!
That all sounds great, just so long as they're not running on a private
> But seriously, there is one CRL fix going into 3.19 :)
> pluto: iterate all X.509 certs and try to fetch their crls
>> I'm running 3.18, and files in /etc/ipsec.d/crls seem to be detected
>> and imported by "ipsec auto --rereadcrls", but "ipsec auto --listcrls"
>> shows nothing:
>>> ipsec auto --rereadcrls
>>> 002 loading crl file 'crl.pem' (1223 bytes)
>>> ipsec auto --listcrls
>>> 000 List of CRLs:
> You do need to have a connection loaded with a certificate for the CRLs
> to be loaded and visible.
That is the case--not just loaded, but active even. I tried restarting
ipsec and reestablishing the connections to see if it was a
load-on-start issue but still no CRLs are displayed.
>> Attempts to import a CRL file into the NSS database using crlutil fail
>> with "crlutil: unable to import CRL: SEC_ERROR_CRL_INVALID: New CRL
>> has an invalid format."
> We should still be reading CRLS from /etc/ipsec.d/crls if you place it
> there, although that is legacy. Importing it should work, provided you
> have the CA there as well I think.
I do indeed have the CA in the nss database, though not with its private
key. Would that matter for CRL importation?
More information about the Swan