On Tue, 13 Sep 2016, Nels Lindquist wrote:
Just wondering what the current state of CRL handling in LibreSWAN is?
It's fantastic. Let me tell you about CRL fetching. We do very well with
CRL fetching. We're going to have the best CRL fetching and we are
going to make the browsers pay for them!
But seriously, there is one CRL fix going into 3.19 :)
pluto: iterate all X.509 certs and try to fetch their crls
https://github.com/libreswan/libreswan/commit/89d9541229ecac9090305d9c5a828a4969b97ae8
I'm running 3.18, and files in /etc/ipsec.d/crls seem to be detected and
imported by "ipsec auto --rereadcrls", but "ipsec auto --listcrls" shows
nothing:
ipsec auto --rereadcrls
002 loading crl file 'crl.pem' (1223 bytes)
ipsec auto --listcrls
000
000 List of CRLs:
You do need to have a connection loaded with a certificate for the CRLs
to be loaded and visible.
Attempts to import a CRL file into the NSS database using crlutil fail with
"crlutil: unable to import CRL: SEC_ERROR_CRL_INVALID: New CRL has an invalid
format."
We should still be reading CRLS from /etc/ipsec.d/crls if you place it
there, although that is legacy. Importing it should work, provided you
have the CA there as well I think.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
