[Swan] Fwd: [Swan-dev] Libreswan library not taking CRLs from the certificate link.
Utkarsh Kumar
utkarshkumar84 at gmail.com
Thu Dec 19 06:01:15 UTC 2019
Hi Tuomo,
Thanks , changed to swan list.
In my scenario, I am importing the certificate to NSS db using CRL
util.
wget -P <local-path> --no-check-certificate
<crl-distribution-url>`
crlutil -I -i <local-path>/*.crl -d sql:/etc/ipsec.d -a -B -f
/etc/ipsec.d/nsspassword
if ! /bin/grep -R "crl-strict" /etc/ipsec.conf > /dev/null
then
sed -i '/virtual_private/ a
\\tcrl-strict=yes\n\tcrlcheckinterval=8h' /etc/ipsec.conf
fi
ipsec setup restart
So after this operations the CRLs are imported correctly and working
as expected and ipsec connections happens fine but now if I revoke a
certificate. libreswan library is not able to take the new CRL list giving
the above error.
Regards,
Utkarsh.
On Wed, Dec 18, 2019 at 3:30 PM Tuomo Soini <tis at foobar.fi> wrote:
> On Wed, 18 Dec 2019 00:46:39 +0530
> Utkarsh Kumar <utkarshkumar84 at gmail.com> wrote:
>
> > Hi Paul,
> > Thanks for the response, yes my CA certificate doesn't have CRL
> > attribute but I check many other CA certificate and out of 10 for
> > example , only one CA certificate had the CRL distribution point.
>
> In this cause having CRL distribution point only in end certificate
> causes chicken egg problem. When you request strict crl checking that
> means you won't accept the certificate without crl. And when you don't
> have crl loaded _before_ you can't accept the certificate to get the
> crl distribution point from the cert.
>
> So you really must load the crl manually to your nss database with
> crlutil to be able to accept the certificate first time.
>
> Again. This doesn't belong to swan-dev mailinglist, please switch to
> swan list.
>
> --
> Tuomo Soini <tis at foobar.fi>
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <https://foobar.fi/>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20191219/869126cd/attachment.html>
More information about the Swan
mailing list