On Tue, 13 Sep 2016, Nels Lindquist wrote:
It's fantastic. Let me tell you about CRL fetching. We do very well with
CRL fetching. We're going to have the best CRL fetching and we are
going to make the browsers pay for them!
That all sounds great, just so long as they're not running on a private
e-mail server!
:)
You do need to have a connection loaded with a certificate for the CRLs
to be loaded and visible.
That is the case--not just loaded, but active even. I tried restarting ipsec
and reestablishing the connections to see if it was a load-on-start issue but
still no CRLs are displayed.
Is there anything in the logs about CRLs?
Note we do have some CRL issues on our TODO list, which we will
hopefully get to this week.
> Attempts to import a CRL file into the NSS database using crlutil fail
> with "crlutil: unable to import CRL: SEC_ERROR_CRL_INVALID: New CRL
> has an invalid format."
Maybe Tuomo can say more about this.
there, although that is legacy. Importing it should work, provided you
have the CA there as well I think.
I do indeed have the CA in the nss database, though not with its private key.
Would that matter for CRL importation?
No, the private CA key does not belong on the VPN server.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
