[strongSwan] Problem in stack when crl updation is done

Andreas Steffen andreas.steffen at strongswan.org
Tue Mar 30 18:01:08 CEST 2010

Hi Vivek,

you are misunderstanding the meaning of the nextUpdate field in the CRL.

The old CRL defines

        Last Update: Mar 24 08:35:58 2010 GMT
        Next Update: Apr 13 08:36:18 2010 GMT
        CRL extensions:
            X509v3 CRL Number: 5227

and the latest CRL defines

        Last Update: Mar 26 10:37:27 2010 GMT
        Next Update: Apr 15 10:37:47 2010 GMT
        CRL extensions:
            X509v3 CRL Number: 5231

strongSwan first fetches CRL #5227 and notes that the nextUpdate
is due on Apr 13 08:36:18 2010 GMT. Before that date strongSwan
will not bother to look for a fresher CRL. Only when the old
CRL becomes stale after Apr 13 08:36:18 2010 GMT it will make an
effort to discover the new CRL # 5231.

If you want to react faster to revoked certificates then you
have two choices:

1) reduce the time between until nextUpdate to 1 day or even 1 hour
   and release fresh CRLs accordingly.

2) use the Online Certificate Status Protocol (OCSP) which will
   fetch the current status in real-time.

Best regards


vivek bairathi wrote:
> Hi All,
> I am getting a problem with the strongswan-4.2.8, whenever I revoke a
> peer certificate and
> update the latest crl at my end and then try to make an SA it gets
> created as it should not.
> When I debug the stack I found that in credential_manager.c there is a
> function
> "get_better_crl", in this there are two problems that I saw:
> 1. The crl list that is passed is having both the crls - the older one
> and the latest one. (As I had provided only two crls, one at the
> starting of the stack and the other after revoking the cert). But I
> think as the new crl is added the older should deleted?
> 2. The comparison done between the certificate serial number and the
> serial numbers present in the crl is done with only the old crl and not
> the new crl in which the certificate is revoked. I think there is some
> problem in the parsing of the crl list as the crl list is not completely
> parsed?
> Thanks for your help in advance.
> Regards,
> Vivek

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100330/9d2ecedb/attachment.bin>

More information about the Users mailing list