[strongSwan] CRL check: how to fail over to local CRL if fetch fails

Noel Kuntze noel at familie-kuntze.de
Fri Apr 21 19:36:23 CEST 2017

Hello Zach,

Make sure you have the "files"[1] plugin.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/PluginList

Kind regards,

Am 21.04.2017 um 19:32 schrieb Zach Cutlip:
> I'm not sure why the CRL loaded from from /etc/ipsec.d/crls isn't
> being checked during authentication. It's definitely cached in memory
> according to 'ipsec listcrls'
> However, I've added a ca section to ipsec.conf, listing the exact same
> crl, but with a file:/// url:
> crluri = file:///etc/ssl/mydomain.org/ca2.mydomain.org.crl.pem
> I turned up logging, and I see an attempt to fetch that CRL during
> each authentication attempt:
> Apr 21 09:55:10 geonosis ipsec[3172]: 09[CFG]   fetching crl from
> 'file:///etc/ssl/mydomain.org/ca2.mydomain.org.crl.pem' ...
> Apr 21 09:55:10 geonosis ipsec[3172]: 09[LIB]   sending http request
> to 'file:///etc/ssl/mydomain.org/ca2.mydomain.org.crl.pem'...
> Apr 21 09:55:10 geonosis ipsec[3172]: 09[CFG] crl fetching failed
> I've verified the file is world readable. I can cat it, and I can curl the uri.
> I've also tried converting it to der format.
> So, it seems there are two questions:
> Why is the CRL loaded from /etc/ipsec.d/crls/, but not consulted?
> Why is the curl plugin unable to fetch the local CRL from the file:/// uri?
> On Fri, Apr 21, 2017 at 9:25 AM, Zach Cutlip <uid000 at gmail.com> wrote:
>> Tobias,
>> Anything in particular I should be looking for in the logs? I
>> definitely see the CRL getting loaded from disk when I start the
>> service. I also see in the logs the remote CRL fetch failing. Nothing
>> is mentioned in the logs about the local CRL.
>> Thanks
>> On Fri, Apr 21, 2017 at 12:20 AM, Tobias Brunner <tobias at strongswan.org> wrote:
>>> Hi Zach,
>>>> Alternatively, is there a way to just ignore embedded CRL distribution
>>>> points, and always use the local CRL?
>>> If the revocation plugin finds a cached CRL (either previously fetched
>>> or loaded manually) that's still valid it will use that and not fetch
>>> any remote CRLs.  Check the log for details on what's going on.
>>> Regards,
>>> Tobias
>> --
>> :wq!
> -- :wq! _______________________________________________ Users mailing list Users at lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170421/0797bf58/attachment-0001.sig>

More information about the Users mailing list