Hi, On strongswan < 5, I was using certificates with IKEv1 and specifically strictcrlpolicy=yes always worked fine. My config was something like :
ca vpnca
cacert=VPNCA-cacert.pem
crluri=VPNCA-crl.pem
auto=add
config setup
strictcrlpolicy=yes
...
Now with strongswan 5.0.0. as well as with 5.0.1dr3, I've got the
following error :
Sep 5 08:02:26 vpn-test charon: 17[CFG] fetching crl from
'VPNCA-crl.pem' ...
Sep 5 08:02:26 vpn-test charon: 17[CFG] crl fetching failed
I've changed ipsec.conf to :
crluri=file:///usr/local/strongswan/etc/ipsec.d/crls/VPNCA-crl.pem
Then the error was :
Sep 5 09:38:00 vpn-test charon: 19[CFG] fetching crl from
'file:///usr/local/strongswan/etc/ipsec.d/crls/VPNCA-crl.pem' ...
Sep 5 09:38:00 vpn-test charon: 19[CFG] crl fetched successfully but
parsing failed
I've changed the CRL format to DER.
Now the error is :
Sep 5 10:27:19 vpn-test charon: 18[CFG] fetching crl from
'file:///usr/local/strongswan/etc/ipsec.d/crls/VPNCA-crl.der' ...
Sep 5 10:27:19 vpn-test charon: 18[CFG] issuer of fetched CRL 'C=LU,
ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=RESTENA VPN CA,
[email protected]' does not match CRL issuer
'f8:fd:2f:da:23:be:ee:8b:b4:fd:2b:d0:98:5c:c1:5f:1e:5b:74:ac'
Sep 5 10:27:19 vpn-test charon: 18[CFG] certificate status is not available
Has the behaviour of crluri changed ?
Is it normal that PEM formatted CRLs can not be read anymore ?
Why does strongswan compare the DN to a fingerprint ? Am I missing an
option there ?
kind regards,
Claude
--
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
