[Swan] Current state of CRL handling?
Nels Lindquist
nlindq at maei.ca
Tue Sep 13 21:50:09 UTC 2016
On 2016/09/13 10:19 AM, Paul Wouters wrote:
> On Tue, 13 Sep 2016, Nels Lindquist wrote:
>
>> Just wondering what the current state of CRL handling in LibreSWAN is?
>
> It's fantastic. Let me tell you about CRL fetching. We do very well with
> CRL fetching. We're going to have the best CRL fetching and we are
> going to make the browsers pay for them!
That all sounds great, just so long as they're not running on a private
e-mail server!
> But seriously, there is one CRL fix going into 3.19 :)
>
> pluto: iterate all X.509 certs and try to fetch their crls
>
> https://github.com/libreswan/libreswan/commit/89d9541229ecac9090305d9c5a828a4969b97ae8
>
>
>> I'm running 3.18, and files in /etc/ipsec.d/crls seem to be detected
>> and imported by "ipsec auto --rereadcrls", but "ipsec auto --listcrls"
>> shows nothing:
>>
>>> ipsec auto --rereadcrls
>>> 002 loading crl file 'crl.pem' (1223 bytes)
>>
>>> ipsec auto --listcrls
>>> 000
>>> 000 List of CRLs:
>
> You do need to have a connection loaded with a certificate for the CRLs
> to be loaded and visible.
That is the case--not just loaded, but active even. I tried restarting
ipsec and reestablishing the connections to see if it was a
load-on-start issue but still no CRLs are displayed.
>> Attempts to import a CRL file into the NSS database using crlutil fail
>> with "crlutil: unable to import CRL: SEC_ERROR_CRL_INVALID: New CRL
>> has an invalid format."
>
> We should still be reading CRLS from /etc/ipsec.d/crls if you place it
> there, although that is legacy. Importing it should work, provided you
> have the CA there as well I think.
I do indeed have the CA in the nss database, though not with its private
key. Would that matter for CRL importation?
Nels Lindquist
More information about the Swan
mailing list