[Openswan Users] Dynamic CRL fetching

Gregor Bethlen saphira at bethlen.de
Fri Aug 20 13:30:14 CEST 2004

Paul Wouters <paul at xelerance.com> schrieb am 20.08.04 11:17:12:
> On Fri, 20 Aug 2004, Gregor Bethlen wrote:
> > > > crlcheckinterval=600
> > Stilll got the same result - openswan fetches no crls. pluto-debug tells me that he can read the CDP-entries in the certificate. But he doesn't fetch the crls.
> > 
> > Since the windows-roadwarrior fetches the crl via http, the crl can be accessed via http.
> > 
> > Any hints?
> Set the crlcheckinterval to 10 and see what happens? It all also depend on
> how long things are valid for. If you signed with a very long crl validity,
> it won't be checking for a very long time. You can also add strictcrlpolicy=yes
> to trigger immediate fetching at startup.

Hello Paul,

checkinterval=10 didn't change anything, the crl ist valid 30 days, but changing systemdate 2 months ahead, thus making the crl expired, doesn't change the behavior. ipsec auto --listcrls sais that the crl is expired, but doesn't fetch a new one.
changing strictcrlpolicy=yes leads to rejection of the peer-certificate, because the issuer crl cannot be found.

> If that fails, I'll have to things out myself again. I haven't used this in
> a long time, and unfortunately I didn't write a testcase for this, so we
> don't have this feature in our nightly regression testing yet. 

It is not THAT important, I just wanted to test, if dynamic crl fetching works at all.

Is the dynamic crl fetching with openswan 2.1.4 working anywhere? If not I can stop trying, if yes, the problem would be at my installation.

Short system-description: SuSE Linux 9.1, Kernel 2.6.5, OpenSSL 0.9.7d (known to have some bugs, but pluto doesn't give an errormessage, so they souldn't affect this here), OpenS/WAN 2.1.4.

> Paul



Aufnehmen, abschicken, nah sein - So einfach ist 
WEB.DE Video-Mail: http://freemail.web.de/?mc=021200

More information about the Users mailing list