[strongSwan] CRL issues

Claude Tompers claude.tompers at restena.lu
Wed Sep 5 14:41:40 CEST 2012 

Hi,

On strongswan < 5, I was using certificates with IKEv1 and specifically
strictcrlpolicy=yes always worked fine.
My config was something like :

ca vpnca
    cacert=VPNCA-cacert.pem
    crluri=VPNCA-crl.pem
    auto=add

config setup
    strictcrlpolicy=yes
    ...


Now with strongswan 5.0.0. as well as with 5.0.1dr3, I've got the
following error :

Sep  5 08:02:26 vpn-test charon: 17[CFG]   fetching crl from
'VPNCA-crl.pem' ...
Sep  5 08:02:26 vpn-test charon: 17[CFG] crl fetching failed


I've changed ipsec.conf to :
crluri=file:///usr/local/strongswan/etc/ipsec.d/crls/VPNCA-crl.pem
Then the error was :

Sep  5 09:38:00 vpn-test charon: 19[CFG]   fetching crl from
'file:///usr/local/strongswan/etc/ipsec.d/crls/VPNCA-crl.pem' ...
Sep  5 09:38:00 vpn-test charon: 19[CFG] crl fetched successfully but
parsing failed


I've changed the CRL format to DER.
Now the error is :

Sep  5 10:27:19 vpn-test charon: 18[CFG]   fetching crl from
'file:///usr/local/strongswan/etc/ipsec.d/crls/VPNCA-crl.der' ...
Sep  5 10:27:19 vpn-test charon: 18[CFG] issuer of fetched CRL 'C=LU,
ST=n/a, L=Luxembourg, O=Fondation RESTENA, CN=RESTENA VPN CA,
E=admin at restena.lu' does not match CRL issuer
'f8:fd:2f:da:23:be:ee:8b:b4:fd:2b:d0:98:5c:c1:5f:1e:5b:74:ac'
Sep  5 10:27:19 vpn-test charon: 18[CFG] certificate status is not available


Has the behaviour of crluri changed ?
Is it normal that PEM formatted CRLs can not be read anymore ?
Why does strongswan compare the DN to a fingerprint ? Am I missing an
option there ?


kind regards,
Claude

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120905/12371fd0/attachment.pgp>

More information about the Users mailing list