[Swan] Fwd: [Swan-dev] Libreswan library not taking CRLs from the certificate link.

Utkarsh Kumar utkarshkumar84 at gmail.com
Thu Dec 19 06:01:15 UTC 2019 

Hi Tuomo,
         Thanks , changed to swan list.

        In my scenario, I am importing the certificate to NSS db using CRL
util.

                  wget -P <local-path> --no-check-certificate
<crl-distribution-url>`

        crlutil -I -i <local-path>/*.crl -d sql:/etc/ipsec.d -a  -B -f
/etc/ipsec.d/nsspassword

        if ! /bin/grep -R "crl-strict" /etc/ipsec.conf > /dev/null

        then

                sed -i '/virtual_private/ a
\\tcrl-strict=yes\n\tcrlcheckinterval=8h' /etc/ipsec.conf

        fi

        ipsec setup restart




     So after this operations the CRLs are imported correctly and working
as expected and ipsec connections happens fine but now if I revoke a
certificate. libreswan library is not able to take the new CRL list giving
the above error.


Regards,

Utkarsh.



On Wed, Dec 18, 2019 at 3:30 PM Tuomo Soini <tis at foobar.fi> wrote:

> On Wed, 18 Dec 2019 00:46:39 +0530
> Utkarsh Kumar <utkarshkumar84 at gmail.com> wrote:
>
> > Hi Paul,
> >       Thanks for the response, yes my CA certificate doesn't have CRL
> > attribute but I check many other CA certificate and out of 10 for
> > example , only one CA certificate had the CRL distribution point.
>
> In this cause having CRL distribution point only in end certificate
> causes chicken egg problem. When you request strict crl checking that
> means you won't accept the certificate without crl. And when you don't
> have crl loaded _before_ you can't accept the certificate to get the
> crl distribution point from the cert.
>
> So you really must load the crl manually to your nss database with
> crlutil to be able to accept the certificate first time.
>
> Again. This doesn't belong to swan-dev mailinglist, please switch to
> swan list.
>
> --
> Tuomo Soini <tis at foobar.fi>
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <https://foobar.fi/>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20191219/869126cd/attachment.html>

More information about the Swan mailing list