Re: [Swan] Question/troubleshooting x509 w/ intermediate & root CA

Mon, 26 Sep 2016 16:22:17 -0700 

On Mon, 26 Sep 2016, Bryan Harris wrote:


Hmm, for some reason I didn't notice that type of behavior.  But, we
are using RHEL 6 and so I wonder if version in use does not have the
latest features.  Or it could be that I haven't yet corrected all
mistakes in my commands yet, and something is causing these guys to
behave this way.

Yep, after reading the man page, if crlcheckinterval is not specified
then RHEL version of ipsec uses zero, which means it will never fetch
the CRLs.

So, I set to five seconds.  Now, when I do a full-restart and then
"ipse auto --up" this tunnel, whichever server is the OTHER side of
the tunnel successfully downloads the root CA CRL but not the Sub CA
CRL.  For some reason they get stuck trying to obtain the Sub CA CRL.
So they can get one but not the other.


If you use the rhel6 version, then yes you will have some issues still.
You can try to grab the rhel6 package from download.libreswan.org
which packaes 3.18, which has some, but not all fixes, related to x509.

mode, failing pending update
Sep 26 17:49:24 left pluto[2299]: |   trusted_ca_nss called with
a=(empty) b=(empty)
Sep 26 17:49:24 left pluto[2299]: "mytunnel" #1: no RSA public key
known for 'C=US, O=Sally, CN=right'
Sep 26 17:49:24 left pluto[2299]: "mytunnel" #1: sending encrypted
notification INVALID_KEY_INFORMATION to 192.168.122.8:500


So one bug here is that it sends an INVALID_KEY_INFORMATION, instead
of silently waiting for a resend of the packet (while it fetches
the CRL meanwhile)


I see that it calls to import CRL on the first line above correctly.
But I never see it attempt the same function for the second CRL.
Instead of _import_crl it calls get_issuer_crl.  I have both Root+Sub
CAs + left/right cert in the NSS database on each side.  My pkcs12
command had an option something like -certfile <(cat sally1 sally2)
which imported both of them.


Yes, we were not yet fetching all the intermediate CRLs either. That
is being fixed now and will also be in 3.19.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to