<html><head><style type="text/css">body{font:12px Arial;margin:3px;overflow-y:auto;overflow-x:auto}p{margin:0px;}blockquote, ol, ul{margin-top:0px;margin-bottom:0px;}</style></head>

<body><div style="DISPLAY: block; FONT-SIZE: 12px; FONT-FAMILY: Arial"><BR>
<DIV>
<DIV style="DISPLAY: block; FONT-SIZE: 12px; FONT-FAMILY: Arial">
<P>hi all,</P>
<P>&nbsp;</P>
<P>i am&nbsp; using openswan-2.3.1 with certificates and I try to use a crl distribution point.</P>
<P>&nbsp;</P>
<P>so my network is :</P>
<P>&nbsp;</P>
<P>host 1: 195.212.109.205</P>
<P>Apache is running here and the CRL is reachable at <A href="http://195.212.109.205/ca.crl" target=_blank>http://195.212.109.205/ca.crl</A></P>
<P>&nbsp;</P>
<P>host 2:195.212.109.202</P>
<P>This host uses a user certificate: user01desuri.crt</P>
<P>&nbsp;</P>
<P>host 3: 195.212.109.202</P>
<P>This host uses a user certificate: user02desuri.crt</P>
<P>&nbsp;</P>
<P>As it is written on the readme.x509 of openswan.org&nbsp; Documentation,&nbsp; I modified my openssl.cnf&nbsp; on the CA, like this :</P>
<P>-----------------------------------------------------------------------------------------------------------------------</P>
<P>[ user_cert ]</P>
<P>basicConstraints = critical, CA:false<BR>authorityKeyIdentifier = keyid:always<BR>subjectKeyIdentifier = hash<BR>keyUsage = digitalSignature, nonRepudiation, keyEncipherment<BR>extendedKeyUsage = clientAuth, emailProtection<BR>nsCertType = client, email<BR>nsComment = "Certificate issued by Company"<BR>subjectAltName = email:copy<BR>#--------------distrib point-------------------<BR>crlDistributionPoints=URI:http://195.212.109.205/ca.crl</P>
<P>-------------------------------------------------------------------------------------------------------------------------</P>
<P>&nbsp;</P>
<P>So now when the CA signs a certificate it gives to me :</P>
<P>-------------------------------------------------------------------------------------------------------------------------</P>
<P>[...]</P>
<P>X509v3 extensions:<BR>&nbsp;X509v3 Basic Constraints: critical<BR>&nbsp;CA:FALSE<BR>&nbsp;X509v3 Authority Key Identifier:<BR>&nbsp;keyid:28:99:32:6E:71:23:3D:5D:D8:9A:C2:2A:BE:18:BF:98:94:76:29:76<BR>&nbsp;X509v3 Subject Key Identifier:<BR>&nbsp;A6:0A:2C:41:7B:8B:4D:6D:75:6B:B5:A2:EC:25:95:81:E7:12:D1:BC<BR>&nbsp;X509v3 Key Usage:<BR>&nbsp;Digital Signature, Non Repudiation, Key Encipherment<BR>&nbsp;X509v3 Extended Key Usage:<BR>&nbsp;TLS Web Client Authentication, E-mail Protection<BR>&nbsp;Netscape Cert Type:<BR>&nbsp;SSL Client, S/MIME<BR>&nbsp;Netscape Comment:<BR>&nbsp;Certificate issued by Company<BR>&nbsp;X509v3 Subject Alternative Name:<BR>&nbsp;email:ngc1976.m42@caramail.com<BR>&nbsp;X509v3 CRL Distribution Points:<BR>&nbsp;URI:http://195.212.109.205/ca.crl</P>
<P>[...]</P>
<P>-------------------------------------------------------------------------------------------------------------------------</P>
<P>&nbsp;</P>
<P>This CRL distribution point is the same for host 2 and 3.</P>
<P>I use a VPN between host 2 host 3 with certificates like this, but they never try to get the CRL on the APACHE server.....WHY?</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>when I check my CRL properties, I have no distPts: ........</P>
<P>-------------------------------------------------------------------------------------------------------------------------</P>
<P>[root@dhcp202 crls]# ipsec auto --listcrls<BR>000<BR>000 List of X.509 CRLs:<BR>000<BR>000 May 26 14:40:13 2005, revoked certs: 1<BR>000 issuer: 'C=fr, ST=ile-de-france, L=paris, O=motorola, <BR>CN=rootca1024'<BR>000 updates: this May 26 14:01:39 2005<BR>000 next Jun 25 14:01:39 2005 ok</P>
<P>-------------------------------------------------------------------------------------------------------------------------</P>
<P>&nbsp;</P>
<P>what I have to do?</P>
<P>Something to change in programs/pluto/Makefile ?</P>
<P>need a patch ?</P>
<P>&nbsp;</P>
<P>thx </P>
<P>david</P></DIV></DIV></br><p style="margin-top:11px;padding-top:3px;background-image: url(http://mail.lycos.co.uk/Images/Mail/_content/dot.gif);background-repeat: repeat-x;background-position: 0px 0px;"><a href="http://secure.caramail.lycos.fr/services/content/advdetail.jsp?advid=advprotekon&advsvc=advsecure&TARGETCODE=FR_footermail_link"><img src="http://images.lycos-europe.com/m/comc/lycos/cont/security/sm_protekon_transpa.gif"></img></a> CaraMail met en oeuvre un nouveau <a href="http://secure.caramail.lycos.fr/services/content/advdetail.jsp?advid=advprotekon&advsvc=advsecure&TARGETCODE=FR_footermail_link" target="_blank"><font color="#CC0000"><b>Concept de Sécurité Globale</b></font></a> à partir de 1,49 ? par mois</div></body></html>