<div dir="ltr"><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Hi Tuomo,<br></div><div dir="ltr"><div>         Thanks , changed to swan list.</div><div><br></div><div>        In my scenario, I am importing the certificate to NSS db using CRL util.</div><div><br></div><div>                  <span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo">wget -P <local-path> --no-check-certificate <crl-distribution-url>`</span></div>






<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><span>        </span>crlutil -I -i <local-path>/*.crl -d sql:/etc/ipsec.d -a<span>  </span>-B -f /etc/ipsec.d/nsspassword</span></p><p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-variant-ligatures:no-common-ligatures"><span>        </span>if ! /bin/grep -R "crl-strict" /etc/ipsec.conf > /dev/null</span></p><p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-variant-ligatures:no-common-ligatures"><span>        </span>then</span></p><p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-variant-ligatures:no-common-ligatures"><span>                </span>sed -i '/virtual_private/ a \\tcrl-strict=yes\n\tcrlcheckinterval=8h' /etc/ipsec.conf</span></p><p style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,255,255)"><span style="font-variant-ligatures:no-common-ligatures"><span>        </span>fi</span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures">









</span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><span>        </span>ipsec setup restart</span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><br></span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><br></span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><br></span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, sans-serif">     So after this operations the CRLs are imported correctly and working as expected and ipsec connections happens fine but now if I revoke a certificate. libreswan library is not able to take the new CRL list giving the above error.</font></span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, sans-serif"><br></font></span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, sans-serif">Regards,</font></span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, sans-serif">Utkarsh.</font></span></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><br></span></p></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Dec 18, 2019 at 3:30 PM Tuomo Soini <<a href="mailto:tis@foobar.fi" target="_blank">tis@foobar.fi</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, 18 Dec 2019 00:46:39 +0530<br>
Utkarsh Kumar <<a href="mailto:utkarshkumar84@gmail.com" target="_blank">utkarshkumar84@gmail.com</a>> wrote:<br>
<br>
> Hi Paul,<br>
>       Thanks for the response, yes my CA certificate doesn't have CRL<br>
> attribute but I check many other CA certificate and out of 10 for<br>
> example , only one CA certificate had the CRL distribution point.<br>
<br>
In this cause having CRL distribution point only in end certificate<br>
causes chicken egg problem. When you request strict crl checking that<br>
means you won't accept the certificate without crl. And when you don't<br>
have crl loaded _before_ you can't accept the certificate to get the<br>
crl distribution point from the cert.<br>
<br>
So you really must load the crl manually to your nss database with<br>
crlutil to be able to accept the certificate first time.<br>
<br>
Again. This doesn't belong to swan-dev mailinglist, please switch to<br>
swan list.<br>
<br>
-- <br>
Tuomo Soini <<a href="mailto:tis@foobar.fi" target="_blank">tis@foobar.fi</a>><br>
Foobar Linux services<br>
+358 40 5240030<br>
Foobar Oy <<a href="https://foobar.fi/" rel="noreferrer" target="_blank">https://foobar.fi/</a>><br>
</blockquote></div>
</div></div>