[Swan] Fwd: [Swan-dev] Libreswan library not taking CRLs from the certificate link.
utkarshkumar84 at gmail.com
Thu Dec 19 06:01:15 UTC 2019
Thanks , changed to swan list.
In my scenario, I am importing the certificate to NSS db using CRL
wget -P <local-path> --no-check-certificate
crlutil -I -i <local-path>/*.crl -d sql:/etc/ipsec.d -a -B -f
if ! /bin/grep -R "crl-strict" /etc/ipsec.conf > /dev/null
sed -i '/virtual_private/ a
ipsec setup restart
So after this operations the CRLs are imported correctly and working
as expected and ipsec connections happens fine but now if I revoke a
certificate. libreswan library is not able to take the new CRL list giving
the above error.
On Wed, Dec 18, 2019 at 3:30 PM Tuomo Soini <tis at foobar.fi> wrote:
> On Wed, 18 Dec 2019 00:46:39 +0530
> Utkarsh Kumar <utkarshkumar84 at gmail.com> wrote:
> > Hi Paul,
> > Thanks for the response, yes my CA certificate doesn't have CRL
> > attribute but I check many other CA certificate and out of 10 for
> > example , only one CA certificate had the CRL distribution point.
> In this cause having CRL distribution point only in end certificate
> causes chicken egg problem. When you request strict crl checking that
> means you won't accept the certificate without crl. And when you don't
> have crl loaded _before_ you can't accept the certificate to get the
> crl distribution point from the cert.
> So you really must load the crl manually to your nss database with
> crlutil to be able to accept the certificate first time.
> Again. This doesn't belong to swan-dev mailinglist, please switch to
> swan list.
> Tuomo Soini <tis at foobar.fi>
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <https://foobar.fi/>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan