[Swan] Current state of CRL handling?

Tuomo Soini tis at foobar.fi
Wed Sep 14 21:09:39 UTC 2016


On Tue, 13 Sep 2016 19:54:54 -0400 (EDT)
Paul Wouters <paul at nohats.ca> wrote:

> On Tue, 13 Sep 2016, Nels Lindquist wrote:
> 
> >>  It's fantastic. Let me tell you about CRL fetching. We do very
> >> well with CRL fetching.  We're going to have the best CRL fetching
> >> and we are going to make the browsers pay for them!
> >
> > That all sounds great, just so long as they're not running on a
> > private e-mail server!
> 
> :)
> 
> >>  You do need to have a connection loaded with a certificate for
> >> the CRLs to be loaded and visible.
> >
> > That is the case--not just loaded, but active even.  I tried
> > restarting ipsec and reestablishing the connections to see if it
> > was a load-on-start issue but still no CRLs are displayed.
> 
> Is there anything in the logs about CRLs?
> 
> Note we do have some CRL issues on our TODO list, which we will
> hopefully get to this week.
> 
> >> >  Attempts to import a CRL file into the NSS database using
> >> > crlutil fail with "crlutil: unable to import CRL:
> >> > SEC_ERROR_CRL_INVALID: New CRL has an invalid format."
> >>

All crls are expected to be in der format but pem is supported too.
Your error sounds like crl is not in correct format. That also explains
why you don't see your crl in ipsec auto --listcrls.

It's requird that CA matching crl is in nss db for crls to work - so
you can't import crl from CA which is not in your nss db.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>


More information about the Swan mailing list