[Openswan Users] crlDistributionPoints

Andreas Steffen andreas.steffen at strongsec.net
Fri May 27 11:03:15 CEST 2005 

Hi David,

the following steps are required to enable crl fetching:

- libcurl and pthreads support must be compiled into
   pluto by enabling the corresponding compile options.

- the asynchronous crl fetching thread must be started
   by setting

   crlcheckinterval=600  # e.g. every 600 seconds

   in the config setup section of ipsec.conf

- if there is no valid copy of the crl in /etc/ipsec.d/crls
   a fetching request to the http site is automatically started
   when the first certificate containing a CDP is received.

Regards

Andreas

david wrote:
> 
> hi all,
> 
>  
> 
> i am  using openswan-2.3.1 with certificates and I try to use a crl 
> distribution point.
> 
>  
> 
> so my network is :
> 
>  
> 
> host 1: 195.212.109.205
> 
> Apache is running here and the CRL is reachable at 
> http://195.212.109.205/ca.crl
> 
>  
> 
> host 2:195.212.109.202
> 
> This host uses a user certificate: user01desuri.crt
> 
>  
> 
> host 3: 195.212.109.202
> 
> This host uses a user certificate: user02desuri.crt
> 
>  
> 
> As it is written on the readme.x509 of openswan.org  Documentation,  I 
> modified my openssl.cnf  on the CA, like this :
> 
> -----------------------------------------------------------------------------------------------------------------------
> 
> [ user_cert ]
> 
> basicConstraints = critical, CA:false
> authorityKeyIdentifier = keyid:always
> subjectKeyIdentifier = hash
> keyUsage = digitalSignature, nonRepudiation, keyEncipherment
> extendedKeyUsage = clientAuth, emailProtection
> nsCertType = client, email
> nsComment = "Certificate issued by Company"
> subjectAltName = email:copy
> #--------------distrib point-------------------
> crlDistributionPoints=URI:http://195.212.109.205/ca.crl
> 
> -------------------------------------------------------------------------------------------------------------------------
> 
>  
> 
> So now when the CA signs a certificate it gives to me :
> 
> -------------------------------------------------------------------------------------------------------------------------
> 
> [...]
> 
> X509v3 extensions:
>  X509v3 Basic Constraints: critical
>  CA:FALSE
>  X509v3 Authority Key Identifier:
>  keyid:28:99:32:6E:71:23:3D:5D:D8:9A:C2:2A:BE:18:BF:98:94:76:29:76
>  X509v3 Subject Key Identifier:
>  A6:0A:2C:41:7B:8B:4D:6D:75:6B:B5:A2:EC:25:95:81:E7:12:D1:BC
>  X509v3 Key Usage:
>  Digital Signature, Non Repudiation, Key Encipherment
>  X509v3 Extended Key Usage:
>  TLS Web Client Authentication, E-mail Protection
>  Netscape Cert Type:
>  SSL Client, S/MIME
>  Netscape Comment:
>  Certificate issued by Company
>  X509v3 Subject Alternative Name:
>  email:ngc1976.m42 at caramail.com
>  X509v3 CRL Distribution Points:
>  URI:http://195.212.109.205/ca.crl
> 
> [...]
> 
> -------------------------------------------------------------------------------------------------------------------------
> 
>  
> 
> This CRL distribution point is the same for host 2 and 3.
> 
> I use a VPN between host 2 host 3 with certificates like this, but they 
> never try to get the CRL on the APACHE server.....WHY?
> 
>  
> 
>  
> 
> when I check my CRL properties, I have no distPts: ........
> 
> -------------------------------------------------------------------------------------------------------------------------
> 
> [root at dhcp202 crls]# ipsec auto --listcrls
> 000
> 000 List of X.509 CRLs:
> 000
> 000 May 26 14:40:13 2005, revoked certs: 1
> 000 issuer: 'C=fr, ST=ile-de-france, L=paris, O=motorola,
> CN=rootca1024'
> 000 updates: this May 26 14:01:39 2005
> 000 next Jun 25 14:01:39 2005 ok
> 
> -------------------------------------------------------------------------------------------------------------------------
> 
>  
> 
> what I have to do?
> 
> Something to change in programs/pluto/Makefile ?
> 
> need a patch ?
> 
>  
> 
> thx
> 
> david
> 
> 
> <http://secure.caramail.lycos.fr/services/content/advdetail.jsp?advid=advprotekon&advsvc=advsecure&TARGETCODE=FR_footermail_link> 
> CaraMail met en oeuvre un nouveau *Concept de Sécurité Globale* 
> <http://secure.caramail.lycos.fr/services/content/advdetail.jsp?advid=advprotekon&advsvc=advsecure&TARGETCODE=FR_footermail_link> 
> à partir de 1,49 ? par mois

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

More information about the Users mailing list