[Swan] Question/troubleshooting x509 w/ intermediate & root CA

Paul Wouters paul at nohats.ca
Mon Sep 26 23:21:21 UTC 2016

On Mon, 26 Sep 2016, Bryan Harris wrote:

> Hmm, for some reason I didn't notice that type of behavior.  But, we
> are using RHEL 6 and so I wonder if version in use does not have the
> latest features.  Or it could be that I haven't yet corrected all
> mistakes in my commands yet, and something is causing these guys to
> behave this way.
> Yep, after reading the man page, if crlcheckinterval is not specified
> then RHEL version of ipsec uses zero, which means it will never fetch
> the CRLs.
> So, I set to five seconds.  Now, when I do a full-restart and then
> "ipse auto --up" this tunnel, whichever server is the OTHER side of
> the tunnel successfully downloads the root CA CRL but not the Sub CA
> CRL.  For some reason they get stuck trying to obtain the Sub CA CRL.
> So they can get one but not the other.

If you use the rhel6 version, then yes you will have some issues still.
You can try to grab the rhel6 package from download.libreswan.org
which packaes 3.18, which has some, but not all fixes, related to x509.
> mode, failing pending update
> Sep 26 17:49:24 left pluto[2299]: |   trusted_ca_nss called with
> a=(empty) b=(empty)
> Sep 26 17:49:24 left pluto[2299]: "mytunnel" #1: no RSA public key
> known for 'C=US, O=Sally, CN=right'
> Sep 26 17:49:24 left pluto[2299]: "mytunnel" #1: sending encrypted

So one bug here is that it sends an INVALID_KEY_INFORMATION, instead
of silently waiting for a resend of the packet (while it fetches
the CRL meanwhile)

> I see that it calls to import CRL on the first line above correctly.
> But I never see it attempt the same function for the second CRL.
> Instead of _import_crl it calls get_issuer_crl.  I have both Root+Sub
> CAs + left/right cert in the NSS database on each side.  My pkcs12
> command had an option something like -certfile <(cat sally1 sally2)
> which imported both of them.

Yes, we were not yet fetching all the intermediate CRLs either. That
is being fixed now and will also be in 3.19.


More information about the Swan mailing list