Bug 960171
| Summary: | initial loading of CRL always fails on pluto startup | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Matt Rogers <mrogers> | ||||
| Component: | openswan | Assignee: | Paul Wouters <pwouters> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Aleš Mareček <amarecek> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 6.4 | CC: | amarecek, kcleveng, ksrot, lnovich, lnovy, mmatsuya, omoris, sforsber | ||||
| Target Milestone: | rc | Keywords: | ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-11-21 23:45:22 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1012736 | ||||||
| Attachments: |
|
||||||
confirmed, will apply Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1718.html |
Created attachment 744240 [details] patch for crl loading order Description of problem: When pluto makes an attempt to load the CRLs from /etc/ipsec.d/crls on startup, loading always fails since it checks to see if the CRL has a loaded CA. Since load_crls comes before load_authcerts_from_nss in plutomain.c, there won't be any CA certs available. Version-Release number of selected component (if applicable): openswan-2.6.32-19.el6_3 How reproducible: 1. Load CA cert into NSSdb, place crl file into /etc/ipsec.d/crls 2. Start pluto with debug logging: 'service ipsec start' In the logs you will see the loading of the CRL and the failure: Changing to directory '/etc/ipsec.d/crls' loaded crl file 'crl.crl' (1747 bytes) | file content is not binary ASN.1 | -----BEGIN X509 CRL----- | -----END X509 CRL----- | file coded in PEM format ... crl issuer cacert not found for (file:///etc/ipsec.d/crls/crl.crl) (The file:/// is just the printed path, while wrong for linux, this path was not attempted at all) At this point ipsec auto --listall does not show any crl. Issuing an ipsec auto --rereadall will then load the CRL properly since the CA has been loaded beforehand. Additional info: Attaching a patch that swaps the order of the loading functions in plutomain.c. My testing with this shows that now the CRL's load properly on initial startup.