On 2016/09/13 10:19 AM, Paul Wouters wrote:
On Tue, 13 Sep 2016, Nels Lindquist wrote:
Just wondering what the current state of CRL handling in LibreSWAN is?
It's fantastic. Let me tell you about CRL fetching. We do very well with
CRL fetching. We're going to have the best CRL fetching and we are
going to make the browsers pay for them!
That all sounds great, just so long as they're not running on a private
e-mail server!
But seriously, there is one CRL fix going into 3.19 :)
pluto: iterate all X.509 certs and try to fetch their crls
https://github.com/libreswan/libreswan/commit/89d9541229ecac9090305d9c5a828a4969b97ae8
I'm running 3.18, and files in /etc/ipsec.d/crls seem to be detected
and imported by "ipsec auto --rereadcrls", but "ipsec auto --listcrls"
shows nothing:
ipsec auto --rereadcrls
002 loading crl file 'crl.pem' (1223 bytes)
ipsec auto --listcrls
000
000 List of CRLs:
You do need to have a connection loaded with a certificate for the CRLs
to be loaded and visible.
That is the case--not just loaded, but active even. I tried restarting
ipsec and reestablishing the connections to see if it was a
load-on-start issue but still no CRLs are displayed.
Attempts to import a CRL file into the NSS database using crlutil fail
with "crlutil: unable to import CRL: SEC_ERROR_CRL_INVALID: New CRL
has an invalid format."
We should still be reading CRLS from /etc/ipsec.d/crls if you place it
there, although that is legacy. Importing it should work, provided you
have the CA there as well I think.
I do indeed have the CA in the nss database, though not with its private
key. Would that matter for CRL importation?
Nels Lindquist
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
