[Swan] Question/troubleshooting x509 w/ intermediate & root CA

Paul Wouters paul at nohats.ca
Mon Sep 26 18:53:09 UTC 2016


On Mon, 26 Sep 2016, Bryan Harris wrote:

> Sep 26 14:07:34 right pluto[7928]: | get_issuer_crl : looking for a CRL issued by CN=Sally Sub CA,O=Sally,C=US
> Sep 26 14:07:34 right pluto[7928]: | missing or expired CRL
> Sep 26 14:07:34 right pluto[7928]: | crl_strict: 0, ocsp: 0, ocsp_strict: 0
> Sep 26 14:07:34 right pluto[7928]: | certificate is valid

This should still trigger a CRL fetch though, and on the next pass it
should work.

> After trying to use strictcrlpolicy=yes, it didn't work.  Then I recalled a mailing list message about having to manually import the
> CRL and so I did that (using der format and command found on the wiki), now the tunnel works with CRLs and strict crl policy in the
> configuration file.

There is a recent commit in master that forces a CRL fetch 5 seconds
after libreswan starts. It used to wait until a client came in that
needed the CRL.

There are some other X.509 related fixes too in git master that will
be released in 3.19.

Paul


More information about the Swan mailing list