[strongSwan-dev] Handling of CRL updates different between Vici and ipsec rereadcrls

[Cole, Michael]

Hi Tobais

I built a patch with just the change to   src/libcharon/plugins/vici/vici_cred.c   given in your link 
https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/vici-load-cert-crl
built, installed and run. All good.
I loaded the CRLs in the "wrong" order via vici, ran ipsec purgecrls ran my test and its all working fine.

Thanks you for quick and complete response

Best regards
Mike Cole


-----Original Message-----
From: Cole, Michael 
Sent: 10 November 2015 14:34
To: 'Tobias Brunner'; dev at lists.strongswan.org
Subject: RE: [strongSwan-dev] Handling of CRL updates different between Vici and ipsec rereadcrls

Hi Tobias

That is excellent, it sounds  like exactly what we would like.

I'll patch a build and try it.

Many thanks
Mike



-----Original Message-----
From: Tobias Brunner [mailto:tobias at strongswan.org]
Sent: 10 November 2015 14:27
To: Cole, Michael; dev at lists.strongswan.org
Subject: Re: [strongSwan-dev] Handling of CRL updates different between Vici and ipsec rereadcrls

Hi Michael,

> This works fine usually as strongswan appears to use the last loaded 
> CRL as the one to check when a new IKE connection is requested.

Yes, the code in vici_cred.c is definitely not ideal.  It adds a loaded CRL just like a regular certificate to the credential set, which means it just gets added to the front of the list of trusted certificates.
Instead, we should call add_crl(), which actually compares the CRL to already loaded ones (in the same credential set) and drops it if it was superseded.

I pushed a fix for this to the vici-load-cert-crl branch [1].  Let me know if that works for you.

Regards,
Tobias

[1]
https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/vici-load-cert-crl