[Swan] Current state of CRL handling?
Nels Lindquist
nlindq at maei.ca
Thu Sep 15 15:16:19 UTC 2016
On 2016/09/14 3:09 PM, Tuomo Soini wrote:
>>>>> Attempts to import a CRL file into the NSS database using
>>>>> crlutil fail with "crlutil: unable to import CRL:
>>>>> SEC_ERROR_CRL_INVALID: New CRL has an invalid format."
>>>>
>
> All crls are expected to be in der format but pem is supported too.
> Your error sounds like crl is not in correct format. That also explains
> why you don't see your crl in ipsec auto --listcrls.
CRL is bog standard as generated by "openssl ca" exactly the same way
I've been generating them since the FreeSWAN days; but please see my
other reply to Paul with some additional logging I was able to generate
with "plutodebug=x509" (part also copied below).
> It's requird that CA matching crl is in nss db for crls to work - so
> you can't import crl from CA which is not in your nss db.
The CA is definitely present in the NSS db, and seems to be found:
> Sep 14 14:54:33 mail2 pluto[17331]: Changing to directory
> '/etc/ipsec.d/crls'
> Sep 14 14:54:33 mail2 pluto[17331]: loading crl
> file 'crl.pem' (1223bytes)
> Sep 14 14:54:33 mail2 pluto[17331]: crl issuer found MAEI Root
> Certificate : nick E=root at maei.ca,CN=MAEI Root
> Certificate,OU=InformationTechnology,O=Morningstar Air Express
> Inc.,L=Edmonton International Airport,ST=Alberta,C=CA
> Sep 14 14:54:33 mail2 pluto[17331]: could not find CRL URI ext -8157
I'm wondering about the "could not find CRL URI..." problem, though.
Nels Lindquist
----
<nlindq at maei.ca>
More information about the Swan
mailing list