[strongSwan] Problem in stack when crl updation is done
Andreas Steffen
andreas.steffen at strongswan.org
Tue Mar 30 18:01:08 CEST 2010
Hi Vivek,
you are misunderstanding the meaning of the nextUpdate field in the CRL.
The old CRL defines
Last Update: Mar 24 08:35:58 2010 GMT
Next Update: Apr 13 08:36:18 2010 GMT
CRL extensions:
X509v3 CRL Number: 5227
and the latest CRL defines
Last Update: Mar 26 10:37:27 2010 GMT
Next Update: Apr 15 10:37:47 2010 GMT
CRL extensions:
X509v3 CRL Number: 5231
strongSwan first fetches CRL #5227 and notes that the nextUpdate
is due on Apr 13 08:36:18 2010 GMT. Before that date strongSwan
will not bother to look for a fresher CRL. Only when the old
CRL becomes stale after Apr 13 08:36:18 2010 GMT it will make an
effort to discover the new CRL # 5231.
If you want to react faster to revoked certificates then you
have two choices:
1) reduce the time between until nextUpdate to 1 day or even 1 hour
and release fresh CRLs accordingly.
2) use the Online Certificate Status Protocol (OCSP) which will
fetch the current status in real-time.
Best regards
Andreas
vivek bairathi wrote:
> Hi All,
>
> I am getting a problem with the strongswan-4.2.8, whenever I revoke a
> peer certificate and
> update the latest crl at my end and then try to make an SA it gets
> created as it should not.
> When I debug the stack I found that in credential_manager.c there is a
> function
> "get_better_crl", in this there are two problems that I saw:
>
> 1. The crl list that is passed is having both the crls - the older one
> and the latest one. (As I had provided only two crls, one at the
> starting of the stack and the other after revoking the cert). But I
> think as the new crl is added the older should deleted?
> 2. The comparison done between the certificate serial number and the
> serial numbers present in the crl is done with only the old crl and not
> the new crl in which the certificate is revoked. I think there is some
> problem in the parsing of the crl list as the crl list is not completely
> parsed?
>
> Thanks for your help in advance.
>
> Regards,
> Vivek
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100330/9d2ecedb/attachment.bin>
More information about the Users
mailing list