[strongSwan] Problem in stack when crl updation is done

Andreas Steffen andreas.steffen at strongswan.org
Fri Mar 26 13:58:36 CET 2010

Hi Vivek,

can you send me both the old and new CRL and the issuing CA certificate?

Best regards


On 26.03.2010 13:44, vivek bairathi wrote:
> Hi All,
> I am getting a problem with the strongswan-4.2.8, whenever I revoke a
> peer certificate and
> update the latest crl at my end and then try to make an SA it gets
> created as it should not.
> When I debug the stack I found that in credential_manager.c there is a
> function
> "get_better_crl", in this there are two problems that I saw:
> 1. The crl list that is passed is having both the crls - the older one
> and the latest one. (As I had provided only two crls, one at the
> starting of the stack and the other after revoking the cert). But I
> think as the new crl is added the older should deleted?
> 2. The comparison done between the certificate serial number and the
> serial numbers present in the crl is done with only the old crl and not
> the new crl in which the certificate is revoked. I think there is some
> problem in the parsing of the crl list as the crl list is not completely
> parsed?
> Thanks for your help in advance.
> Regards,
> Vivek

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list