[strongSwan] CRL issues
Claude Tompers
claude.tompers at restena.lu
Wed Sep 5 15:26:06 CEST 2012
On 09/05/2012 03:11 PM, Martin Willi wrote:
> Hi Claude,
>
>> crluri=VPNCA-crl.pem
>> fetching crl from 'VPNCA-crl.pem' ...
>> crl fetching failed
> crluri takes an URI, not a file name (see ipsec.conf (5)). It might have
> worked with pluto, but it certainly does not with charon.
>
>> fetching crl from 'file:///usr/local/strongswan/etc/ipsec.d/crls/VPNCA-crl.pem' ...
> A X.509 CRL distribution point always points to a DER encoded CRL (see
> [1]). We tread crluri the exactly same way, hence it must be encoded as
> DER, too.
>
>> issuer of fetched CRL 'C=LU,[...]' does not match CRL issuer
>> 'f8:fd:2f:da:23:be:ee:8b:b4:fd:2b:d0:98:5c:c1:5f:1e:5b:74:ac'
> The relation between CRL and CRL issuer is resolved using the CRL
> authorityKeyIdentifier. This means that the CRL must contain an
> authorityKeyIdentifier equal to the subjectKeyIdentifier of the CRL
> issuer (see [2]).
>
> Regards
> Martin
>
> [1]http://tools.ietf.org/html/rfc5280#section-4.2.1.13
> [2]http://tools.ietf.org/html/rfc5280#section-5.2.1
>
Hi Martin,
Thanks for the explanations.
I don't see an authorityKeyIdentifier in my CRL, but my openssl.cnf
contains :
[ crl_ext ]
authorityKeyIdentifier = keyid:always,issuer:always
Isn't this correct ?
kind regards,
Claude
--
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120905/5933ac5c/attachment.pgp>
More information about the Users
mailing list