[Swan] Current state of CRL handling?

Nels Lindquist nlindq at maei.ca
Thu Sep 15 15:16:19 UTC 2016

On 2016/09/14 3:09 PM, Tuomo Soini wrote:

>>>>>  Attempts to import a CRL file into the NSS database using
>>>>> crlutil fail with "crlutil: unable to import CRL:
>>>>> SEC_ERROR_CRL_INVALID: New CRL has an invalid format."
> All crls are expected to be in der format but pem is supported too.
> Your error sounds like crl is not in correct format. That also explains
> why you don't see your crl in ipsec auto --listcrls.

CRL is bog standard as generated by "openssl ca" exactly the same way 
I've been generating them since the FreeSWAN days; but please see my 
other reply to Paul with some additional logging I was able to generate 
with "plutodebug=x509" (part also copied below).

> It's requird that CA matching crl is in nss db for crls to work - so
> you can't import crl from CA which is not in your nss db.

The CA is definitely present in the NSS db, and seems to be found:

> Sep 14 14:54:33 mail2 pluto[17331]: Changing to directory
> '/etc/ipsec.d/crls'
> Sep 14 14:54:33 mail2 pluto[17331]:   loading crl
> file 'crl.pem' (1223bytes)
> Sep 14 14:54:33 mail2 pluto[17331]: crl issuer found MAEI Root
> Certificate : nick E=root at maei.ca,CN=MAEI Root
> Certificate,OU=InformationTechnology,O=Morningstar Air Express
> Inc.,L=Edmonton International Airport,ST=Alberta,C=CA
> Sep 14 14:54:33 mail2 pluto[17331]: could not find CRL URI ext -8157

I'm wondering about the "could not find CRL URI..." problem, though.

Nels Lindquist
<nlindq at maei.ca>

More information about the Swan mailing list