[Swan] Current state of CRL handling?

Nels Lindquist nlindq at maei.ca
Tue Sep 13 21:50:09 UTC 2016

On 2016/09/13 10:19 AM, Paul Wouters wrote:

> On Tue, 13 Sep 2016, Nels Lindquist wrote:
>> Just wondering what the current state of CRL handling in LibreSWAN is?
> It's fantastic. Let me tell you about CRL fetching. We do very well with
> CRL fetching.  We're going to have the best CRL fetching and we are
> going to make the browsers pay for them!

That all sounds great, just so long as they're not running on a private 
e-mail server!

> But seriously, there is one CRL fix going into 3.19 :)
> pluto: iterate all X.509 certs and try to fetch their crls
> https://github.com/libreswan/libreswan/commit/89d9541229ecac9090305d9c5a828a4969b97ae8
>> I'm running 3.18, and files in /etc/ipsec.d/crls seem to be detected
>> and imported by "ipsec auto --rereadcrls", but "ipsec auto --listcrls"
>> shows nothing:
>>>  ipsec auto --rereadcrls
>>>  002   loading crl file 'crl.pem' (1223 bytes)
>>>  ipsec auto --listcrls
>>>  000
>>>  000 List of CRLs:
> You do need to have a connection loaded with a certificate for the CRLs
> to be loaded and visible.

That is the case--not just loaded, but active even.  I tried restarting 
ipsec and reestablishing the connections to see if it was a 
load-on-start issue but still no CRLs are displayed.

>> Attempts to import a CRL file into the NSS database using crlutil fail
>> with "crlutil: unable to import CRL: SEC_ERROR_CRL_INVALID: New CRL
>> has an invalid format."
> We should still be reading CRLS from /etc/ipsec.d/crls if you place it
> there, although that is legacy. Importing it should work, provided you
> have the CA there as well I think.

I do indeed have the CA in the nss database, though not with its private 
key.  Would that matter for CRL importation?

Nels Lindquist

More information about the Swan mailing list