[strongSwan] CRL issues
Claude Tompers
claude.tompers at restena.lu
Wed Sep 5 14:41:40 CEST 2012
Hi,
On strongswan < 5, I was using certificates with IKEv1 and specifically
strictcrlpolicy=yes always worked fine.
My config was something like :
ca vpnca
cacert=VPNCA-cacert.pem
crluri=VPNCA-crl.pem
auto=add
config setup
strictcrlpolicy=yes
...
Now with strongswan 5.0.0. as well as with 5.0.1dr3, I've got the
following error :
Sep 5 08:02:26 vpn-test charon: 17[CFG] fetching crl from
'VPNCA-crl.pem' ...
Sep 5 08:02:26 vpn-test charon: 17[CFG] crl fetching failed
I've changed ipsec.conf to :
crluri=file:///usr/local/strongswan/etc/ipsec.d/crls/VPNCA-crl.pem
Then the error was :
Sep 5 09:38:00 vpn-test charon: 19[CFG] fetching crl from
'file:///usr/local/strongswan/etc/ipsec.d/crls/VPNCA-crl.pem' ...
Sep 5 09:38:00 vpn-test charon: 19[CFG] crl fetched successfully but
parsing failed
I've changed the CRL format to DER.
Now the error is :
Sep 5 10:27:19 vpn-test charon: 18[CFG] fetching crl from
'file:///usr/local/strongswan/etc/ipsec.d/crls/VPNCA-crl.der' ...
Sep 5 10:27:19 vpn-test charon: 18[CFG] issuer of fetched CRL 'C=LU,
ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=RESTENA VPN CA,
E=admin at restena.lu' does not match CRL issuer
'f8:fd:2f:da:23:be:ee:8b:b4:fd:2b:d0:98:5c:c1:5f:1e:5b:74:ac'
Sep 5 10:27:19 vpn-test charon: 18[CFG] certificate status is not available
Has the behaviour of crluri changed ?
Is it normal that PEM formatted CRLs can not be read anymore ?
Why does strongswan compare the DN to a fingerprint ? Am I missing an
option there ?
kind regards,
Claude
--
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120905/12371fd0/attachment.pgp>
More information about the Users
mailing list