[Swan] Current state of CRL handling?

Paul Wouters paul at nohats.ca
Tue Sep 13 23:54:54 UTC 2016

On Tue, 13 Sep 2016, Nels Lindquist wrote:

>>  It's fantastic. Let me tell you about CRL fetching. We do very well with
>>  CRL fetching.  We're going to have the best CRL fetching and we are
>>  going to make the browsers pay for them!
> That all sounds great, just so long as they're not running on a private 
> e-mail server!


>>  You do need to have a connection loaded with a certificate for the CRLs
>>  to be loaded and visible.
> That is the case--not just loaded, but active even.  I tried restarting ipsec 
> and reestablishing the connections to see if it was a load-on-start issue but 
> still no CRLs are displayed.

Is there anything in the logs about CRLs?

Note we do have some CRL issues on our TODO list, which we will
hopefully get to this week.

>> >  Attempts to import a CRL file into the NSS database using crlutil fail
>> >  with "crlutil: unable to import CRL: SEC_ERROR_CRL_INVALID: New CRL
>> >  has an invalid format."

Maybe Tuomo can say more about this.

>>  there, although that is legacy. Importing it should work, provided you
>>  have the CA there as well I think.
> I do indeed have the CA in the nss database, though not with its private key. 
> Would that matter for CRL importation?

No, the private CA key does not belong on the VPN server.


More information about the Swan mailing list