Hi Jafar, > If I omit the crl option completely no crl check takes place as expected:
Yes, that would require adding the --online option. The --crl option automatically does that. > The crl command line options forces a crl check but the locally provided > crl is completely ignored even though it is the same crl on the server. > Is that to be expected? I can't reproduce that, using the same hierarchy with two intermediate CAs: > using certificate "C=CH, O=strongSwan, CN=server" > using trusted intermediate ca certificate "C=CH, O=strongSwan, > CN=strongSwan ICA 2" > checking certificate status of "C=CH, O=strongSwan, CN=server" > using trusted intermediate ca certificate "C=CH, O=strongSwan, > CN=strongSwan ICA" > reached self-signed root ca with a path length of 0 > using trusted certificate "C=CH, O=strongSwan, CN=strongSwan ICA 2" > crl correctly signed by "C=CH, O=strongSwan, CN=strongSwan ICA 2" > crl is valid: until Feb 27 17:28:52 2018 > certificate was revoked on Feb 12 16:28:52 UTC 2018, reason: unspecified > using cached crl > certificate untrusted If I don't add the CRL but --online instead (without having uploaded the CRL) I get: > using certificate "C=CH, O=strongSwan, CN=server" > using trusted intermediate ca certificate "C=CH, O=strongSwan, > CN=strongSwan ICA 2" > checking certificate status of "C=CH, O=strongSwan, CN=server" > fetching crl from 'https://strongswan.org/test.crl' ... > crl fetching failed > certificate status is not available > using trusted intermediate ca certificate "C=CH, O=strongSwan, > CN=strongSwan ICA" > checking certificate status of "C=CH, O=strongSwan, CN=strongSwan ICA 2" > certificate status is not available > using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" > checking certificate status of "C=CH, O=strongSwan, CN=strongSwan ICA" > certificate status is not available > reached self-signed root ca with a path length of 2 > certificate trusted, lifetimes valid, revocation checking failed And after uploading the CRL: > using certificate "C=CH, O=strongSwan, CN=server" > using trusted intermediate ca certificate "C=CH, O=strongSwan, > CN=strongSwan ICA 2" > checking certificate status of "C=CH, O=strongSwan, CN=server" > fetching crl from 'https://strongswan.org/test.crl' ... > using trusted intermediate ca certificate "C=CH, O=strongSwan, > CN=strongSwan ICA" > reached self-signed root ca with a path length of 0 > using trusted certificate "C=CH, O=strongSwan, CN=strongSwan ICA 2" > crl correctly signed by "C=CH, O=strongSwan, CN=strongSwan ICA 2" > crl is valid: until Feb 27 17:28:52 2018 > certificate was revoked on Feb 12 16:28:52 UTC 2018, reason: unspecified > certificate untrusted And without either option: > using certificate "C=CH, O=strongSwan, CN=server" > using trusted intermediate ca certificate "C=CH, O=strongSwan, > CN=strongSwan ICA 2" > using trusted intermediate ca certificate "C=CH, O=strongSwan, > CN=strongSwan ICA" > using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" > reached self-signed root ca with a path length of 2 > certificate trusted, lifetimes valid Are you sure your local CRL is the same as that on the server? Could you perhaps send the certificates and CRLs in question? Regards, Tobias
