Bug 1310262 - libreswan does not check crl files after start
libreswan does not check crl files after start
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libreswan (Show other bugs)
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Paul Wouters
Jaroslav Aster
Depends On:
  Show dependency treegraph
Reported: 2016-02-19 17:15 EST by Jaroslav Aster
Modified: 2017-08-15 15:02 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-08-15 15:02:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
IPsec data files. (7.37 KB, application/x-gzip)
2016-02-24 10:56 EST, Jaroslav Aster
no flags Details

  None (edit)
Description Jaroslav Aster 2016-02-19 17:15:58 EST
Description of problem:

Libreswan does not check crl files after start, respectively it does not print information about check into the log file. This is a different behaviour against libreswan on rhel-7.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create directory /etc/ipsec.d/crls and put some crl file into it.
2. Start ipsec: service ipsec start.
3. Check there is loading message in pluto log file: grep 'loading crl file' /var/log/secure.

# grep 'loading crl file' /var/log/secure


Actual results:

There is no loading message in pluto log file.

Expected results:

There is loading message in pluto log file.

Additional info:

The same test on rhel-7 on libreswan-3.15-5.el7_1.

# grep 'loading crl file' /var/log/secure
Feb 19 16:38:19 qeos-21 pluto[7150]:  loading crl file 'myca.crl' (436 bytes)
Comment 1 Tuomo Soini 2016-02-21 16:32:42 EST
I just did test this with latest libreswan git version running el6 based system:

Feb 21 23:28:10 omout pluto[1027]:   loading crl file 'foobar.crl' (4250 bytes)

I don't see any problem. Are you absolutely sure about testing? 

How about restorecon -Rv /etc/ipsec.d/crls and retry. If you copy the crl from home directory and you forget to reset selinux context it won't work.
Comment 2 Paul Wouters 2016-02-22 09:55:32 EST
The libreswan code in rhel6 and rhel7 is identical. So I would also guess that possibly there is a missing selinux policy update for rhel6?
Comment 3 Jaroslav Aster 2016-02-22 10:34:10 EST
I feel a little bit confused now, because the scenario, which i described, is not reproducible anymore, but my, much more complicated, test fails on rhel-6 and passes on rhel-7. It's needed more investigation. SELinux context is ok.
Comment 4 Paul Wouters 2016-02-22 11:45:49 EST
note that the initscripts and service file call ipsec checknss which handles importing CRL data from /etc/ipsec.d/crls/ but only when we are converting from the old nss db format to the new nss sql format.

Once convered, the /etc/ipsec.d/crls/ and /etc/ipsec.d/cacerts directories are ignored.
Comment 5 Tuomo Soini 2016-02-22 12:15:18 EST
Actually, all crls are being read from /etc/ipsec.d/crls/ on every startup. Libreswan doesn't use crls in /etc/ipsec.d/crls/ but imports them if there are any.
Comment 6 Paul Wouters 2016-02-22 13:41:27 EST
(In reply to Tuomo Soini from comment #5)
> Actually, all crls are being read from /etc/ipsec.d/crls/ on every startup.
> Libreswan doesn't use crls in /etc/ipsec.d/crls/ but imports them if there
> are any.

Not that I see. If you look at programs/ipsec/ipsec.in you will see the section of code at

    # import cacerts and crls

is inside the "check for old nss db" if statement
Comment 7 Tuomo Soini 2016-02-22 15:14:21 EST
Sure. Scripting does import of current crl files to nss db when database is converted. But after that pluto still reads crl files directly.
Comment 8 Paul Wouters 2016-02-23 11:10:54 EST
Tuomo and I are looking into this issue. It seems a more complicated bug.
Comment 9 Jaroslav Aster 2016-02-24 10:56:07 EST

I did some tests and I have some results. I hope it will be useful for you.

My test creates an old version of db, so on start, ipsec --checknss is called and crl file myca.crl is imported into the new version of database. This is true for both versions, rhel-6 and rhel-7. Rhel-6's libreswan does not read myca.crl anymore, but rhel-7's libreswan still read this file everytime it is started and prints 'loading crl file myca.crl' into the log file. 

I attached ipsec files from my test. You can copy it into the right place and start ipsec.

# service ipsec stop
# tar zxvf ipsec_data.tar.gz
# cd ipsec_data
# rm -rf /etc/ipsec.*
# cp -apr * /etc/
# restorecon -Rv /etc/ipsec.*
# service ipsec start
# ipsec auto --listcrls
# grep 'loading crl' /var/log/secure

# service ipsec stop
# rm /etc/ipsec.d/crls/myca.crl
# service ipsec start
# grep 'loading crl' /var/log/secure

# service ipsec start
# cp ipsec.d/crls/myca.crl /etc/ipsec.d/crls/
# restorecon -Rv /etc/ipsec.*
# service ipsec start
# grep 'loading crl' /var/log/secure
Comment 10 Jaroslav Aster 2016-02-24 10:56 EST
Created attachment 1130248 [details]
IPsec data files.
Comment 11 Jaroslav Aster 2016-02-24 11:40:08 EST
Another issue. ipsec auto --rereadcrls does not work on rhel-6 (and rhel-7). It is marked as obsolete, but I think it still should work. At least it is confusing when 'loading crl' message is printed, but nothing is happen.

# ls /etc/ipsec.d/
cacerts  cert9.db  certs  crls  key4.db  nsspassword  nsspassword2.txt  nsspassword.txt  pkcs11.txt  policies  private  v6neighbor-hole.conf
# ls /etc/ipsec.d/crls/
# ipsec auto --listcrls
000 List of CRLs:
# ipsec auto --rereadcrls
002   loading crl file 'myca.crl' (307 bytes)
# ipsec auto --listcrls
000 List of CRLs:
Comment 13 Paul Wouters 2016-11-21 00:56:24 EST
Fixed with upstream commit

Comment 14 Paul Wouters 2017-01-17 15:35:17 EST
note you can see CRLs within NSS using:

crlutil -L -d sql:/etc/ipsec.d

Note You need to log in before you can comment on or make changes to this bug.