Re: [Swan] Current state of CRL handling?

Wed, 14 Sep 2016 14:05:23 -0700 

On 2016/09/13 5:54 PM, Paul Wouters wrote:


On Tue, 13 Sep 2016, Nels Lindquist wrote:


You do need to have a connection loaded with a certificate for
the CRLs to be loaded and visible.


That is the case--not just loaded, but active even.  I tried
restarting ipsec and reestablishing the connections to see if it
was a load-on-start issue but still no CRLs are displayed.


Is there anything in the logs about CRLs?
By default, nothing more than what's displayed in response to the --rereadcrls directive (from secure.log): 


Sep 13 12:17:05 yeggate pluto[3187]:   loading crl file 'crl.pem'
(1223 bytes)
On a different box (same CA and CRL) I enabled plutodebug=x509 and get this on ipsec restart: 


Sep 14 14:54:33 mail2 pluto[17331]: | Changing to directory
'/etc/ipsec.d/crls' Sep 14 14:54:33 mail2 pluto[17331]:   loading crl
file 'crl.pem' (1223bytes)
Sep 14 14:54:33 mail2 pluto[17331]: | crl issuer found MAEI Root

> Certificate : nick [email protected],CN=MAEI Root
> Certificate,OU=InformationTechnology,O=Morningstar Air Express
> Inc.,L=Edmonton International Airport,ST=Alberta,C=CA
> Sep 14 14:54:33 mail2 pluto[17331]: | could not find CRL URI ext -8157

And upon initiating a certificate-authenticated connection:

> Sep 14 14:55:23 mail2 pluto[17331]: | get_issuer_crl : looking for a
> CRL issued by [email protected],CN=MAEI Root Certificate,OU=Information
> Technology,O=Morningstar Air Express Inc.,L=Edmonton International
> Airport,ST=Alberta,C=CA
> Sep 14 14:55:23 mail2 pluto[17331]: | missing or expired CRL
> Sep 14 14:55:23 mail2 pluto[17331]: | crl_strict: 0, ocsp: 0,
> ocsp_strict: 0
> Sep 14 14:55:23 mail2 pluto[17331]: | certificate is valid



Note we do have some CRL issues on our TODO list, which we will
hopefully get to this week.


Attempts to import a CRL file into the NSS database using
crlutil

fail

with "crlutil: unable to import CRL: SEC_ERROR_CRL_INVALID:
New CRL has an invalid format."




Maybe Tuomo can say more about this.


there, although that is legacy. Importing it should work,
provided you have the CA there as well I think.


I do indeed have the CA in the nss database, though not with its
private key. Would that matter for CRL importation?


No, the private CA key does not belong on the VPN server.


Good, yes.

Nels Lindquist
----
<[email protected]>
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to