<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Our system distributes CRL out of band so we pass them onto strongswan using the vici load-cert() command.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This works fine usually as strongswan appears to use the last loaded CRL as the one to check when a new IKE connection is requested.<o:p></o:p></p>
<p class="MsoNormal">We run an HA pair and on recovery of a failed node, more than one CRL may be loaded via Vici to the recovered node and not always in the right order. This can result in strongswan using a CRL that is earlier that the latest CRL if the latest
CRL was not the last loaded via Vici.<o:p></o:p></p>
<p class="MsoNormal">So revoked certificates may be unintentionally allowed again.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I note that if we put the CRLs into /etc/ipsec.d/crls and use ipsec rereadcrls followed by ipsec purgecrls then strongswan checks the crl numbers and/or dates and uses the latest.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Is there another way of achieving this using Vici, or even is it possible to have this functionality also available for CRLs loaded via vici ?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I appreciate that if were to check CRLs and order them before passing them to strongswan then this would resolve our problem but we want to avoid distributing the components involved with security around the system, the more strongswan
can do itself the better for us <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Mike Cole<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:black;mso-fareast-language:EN-GB">Michael Cole
</span></b><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:black;mso-fareast-language:EN-GB">| Cyber Security Services
<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:black;mso-fareast-language:EN-GB">CGI IT UK Ltd, 250 Brook Drive, Green Park, Reading, Berkshire, RG2 6UA UK
<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:black;mso-fareast-language:EN-GB">M: +44 791 789 3856
<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:black;mso-fareast-language:EN-GB"><a href="mailto:michael.cole@cgi.com"><span style="color:blue">michael.cole@cgi.com</span></a> | cgi-group.co.uk
<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:black;mso-fareast-language:EN-GB">CGI IT UK Limited. A CGI Group Inc. Company</span><span style="font-size:6.5pt;font-family:"Arial","sans-serif";color:black;mso-fareast-language:EN-GB">
<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:12.0pt;font-family:"Arial","sans-serif";color:black;mso-fareast-language:EN-GB"><img border="0" width="81" height="38" id="Picture_x0020_1" src="cid:image001.jpg@01D11ADC.FD714040" alt="Description: logo"><o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:12.0pt;font-family:"Arial","sans-serif";color:black;mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:6.5pt;font-family:"Arial","sans-serif";color:black;mso-fareast-language:EN-GB">Registered Office: 250 Brook Drive, Green Park, Reading RG2 6UA, United Kingdom. Registered in England & Wales
- Number 947968 <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:6.5pt;mso-fareast-language:EN-GB">CONFIDENTIALITY NOTICE: Proprietary/Confidential Information belonging to CGI Group Inc. and its affiliates may be contained in this message. If you are not a recipient indicated
or intended in this message (or responsible for delivery of this message to such person), or you think for any reason that this message may have been addressed to you in error, you may not use or copy or deliver this message to anyone else. In such case, you
should destroy this message and are asked to notify the sender by reply e-mail.</span><span style="mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>