On Mon, 26 Sep 2016, Bryan Harris wrote:
Sep 26 14:07:34 right pluto[7928]: | get_issuer_crl : looking for a CRL issued by CN=Sally Sub CA,O=Sally,C=US Sep 26 14:07:34 right pluto[7928]: | missing or expired CRL Sep 26 14:07:34 right pluto[7928]: | crl_strict: 0, ocsp: 0, ocsp_strict: 0 Sep 26 14:07:34 right pluto[7928]: | certificate is valid
This should still trigger a CRL fetch though, and on the next pass it should work.
After trying to use strictcrlpolicy=yes, it didn't work. Then I recalled a mailing list message about having to manually import the CRL and so I did that (using der format and command found on the wiki), now the tunnel works with CRLs and strict crl policy in the configuration file.
There is a recent commit in master that forces a CRL fetch 5 seconds after libreswan starts. It used to wait until a client came in that needed the CRL. There are some other X.509 related fixes too in git master that will be released in 3.19. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
