[Swan] Current state of CRL handling?

Nels Lindquist nlindq at maei.ca
Wed Sep 14 21:04:56 UTC 2016 

On 2016/09/13 5:54 PM, Paul Wouters wrote:

> On Tue, 13 Sep 2016, Nels Lindquist wrote:
>
>>> You do need to have a connection loaded with a certificate for
>>> the CRLs to be loaded and visible.
>>
>> That is the case--not just loaded, but active even.  I tried
>> restarting ipsec and reestablishing the connections to see if it
>> was a load-on-start issue but still no CRLs are displayed.
>
> Is there anything in the logs about CRLs?

By default, nothing more than what's displayed in response to the 
--rereadcrls directive (from secure.log):

> Sep 13 12:17:05 yeggate pluto[3187]:   loading crl file 'crl.pem'
> (1223 bytes)

On a different box (same CA and CRL) I enabled plutodebug=x509 and get 
this on ipsec restart:

> Sep 14 14:54:33 mail2 pluto[17331]: | Changing to directory
> '/etc/ipsec.d/crls' Sep 14 14:54:33 mail2 pluto[17331]:   loading crl
> file 'crl.pem' (1223bytes)
> Sep 14 14:54:33 mail2 pluto[17331]: | crl issuer found MAEI Root
 > Certificate : nick E=root at maei.ca,CN=MAEI Root
 > Certificate,OU=InformationTechnology,O=Morningstar Air Express
 > Inc.,L=Edmonton International Airport,ST=Alberta,C=CA
 > Sep 14 14:54:33 mail2 pluto[17331]: | could not find CRL URI ext -8157

And upon initiating a certificate-authenticated connection:

 > Sep 14 14:55:23 mail2 pluto[17331]: | get_issuer_crl : looking for a
 > CRL issued by E=root at maei.ca,CN=MAEI Root Certificate,OU=Information
 > Technology,O=Morningstar Air Express Inc.,L=Edmonton International
 > Airport,ST=Alberta,C=CA
 > Sep 14 14:55:23 mail2 pluto[17331]: | missing or expired CRL
 > Sep 14 14:55:23 mail2 pluto[17331]: | crl_strict: 0, ocsp: 0,
 > ocsp_strict: 0
 > Sep 14 14:55:23 mail2 pluto[17331]: | certificate is valid


> Note we do have some CRL issues on our TODO list, which we will
> hopefully get to this week.
>
>>>> Attempts to import a CRL file into the NSS database using
>>>> crlutil
>>> fail
>>>> with "crlutil: unable to import CRL: SEC_ERROR_CRL_INVALID:
>>>> New CRL has an invalid format."
>>>
>
> Maybe Tuomo can say more about this.
>
>>> there, although that is legacy. Importing it should work,
>>> provided you have the CA there as well I think.
>>
>> I do indeed have the CA in the nss database, though not with its
>> private key. Would that matter for CRL importation?
>
> No, the private CA key does not belong on the VPN server.

Good, yes.

Nels Lindquist
----
<nlindq at maei.ca>

More information about the Swan mailing list