Hi Jafar,

> If I omit the crl option completely no crl check takes place as expected:

Yes, that would require adding the --online option.  The --crl option
automatically does that.

> The crl command line options forces a crl check but the locally provided 
> crl is completely ignored even though it is the same crl on the server.
> Is that to be expected?

I can't reproduce that, using the same hierarchy with two intermediate CAs:

>   using certificate "C=CH, O=strongSwan, CN=server"
>   using trusted intermediate ca certificate "C=CH, O=strongSwan, 
> CN=strongSwan ICA 2"
> checking certificate status of "C=CH, O=strongSwan, CN=server"
>   using trusted intermediate ca certificate "C=CH, O=strongSwan, 
> CN=strongSwan ICA"
>   reached self-signed root ca with a path length of 0
>   using trusted certificate "C=CH, O=strongSwan, CN=strongSwan ICA 2"
>   crl correctly signed by "C=CH, O=strongSwan, CN=strongSwan ICA 2"
>   crl is valid: until Feb 27 17:28:52 2018
> certificate was revoked on Feb 12 16:28:52 UTC 2018, reason: unspecified
>   using cached crl
> certificate untrusted

If I don't add the CRL but --online instead (without having uploaded the
CRL) I get:

>   using certificate "C=CH, O=strongSwan, CN=server"
>   using trusted intermediate ca certificate "C=CH, O=strongSwan, 
> CN=strongSwan ICA 2"
> checking certificate status of "C=CH, O=strongSwan, CN=server"
>   fetching crl from 'https://strongswan.org/test.crl' ...
> crl fetching failed
> certificate status is not available
>   using trusted intermediate ca certificate "C=CH, O=strongSwan, 
> CN=strongSwan ICA"
> checking certificate status of "C=CH, O=strongSwan, CN=strongSwan ICA 2"
> certificate status is not available
>   using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA"
> checking certificate status of "C=CH, O=strongSwan, CN=strongSwan ICA"
> certificate status is not available
>   reached self-signed root ca with a path length of 2
> certificate trusted, lifetimes valid, revocation checking failed

And after uploading the CRL:

>   using certificate "C=CH, O=strongSwan, CN=server"
>   using trusted intermediate ca certificate "C=CH, O=strongSwan, 
> CN=strongSwan ICA 2"
> checking certificate status of "C=CH, O=strongSwan, CN=server"
>   fetching crl from 'https://strongswan.org/test.crl' ...
>   using trusted intermediate ca certificate "C=CH, O=strongSwan, 
> CN=strongSwan ICA"
>   reached self-signed root ca with a path length of 0
>   using trusted certificate "C=CH, O=strongSwan, CN=strongSwan ICA 2"
>   crl correctly signed by "C=CH, O=strongSwan, CN=strongSwan ICA 2"
>   crl is valid: until Feb 27 17:28:52 2018
> certificate was revoked on Feb 12 16:28:52 UTC 2018, reason: unspecified
> certificate untrusted
And without either option:

>   using certificate "C=CH, O=strongSwan, CN=server"
>   using trusted intermediate ca certificate "C=CH, O=strongSwan, 
> CN=strongSwan ICA 2"
>   using trusted intermediate ca certificate "C=CH, O=strongSwan, 
> CN=strongSwan ICA"
>   using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA"
>   reached self-signed root ca with a path length of 2
> certificate trusted, lifetimes valid

Are you sure your local CRL is the same as that on the server?  Could
you perhaps send the certificates and CRLs in question?

Regards,
Tobias

Reply via email to