Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1310262

Summary: libreswan does not check crl files after start
Product: Red Hat Enterprise Linux 6 Reporter: Jaroslav Aster <jaster>
Component: libreswanAssignee: Paul Wouters <pwouters>
Status: CLOSED WONTFIX QA Contact: Jaroslav Aster <jaster>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.8CC: cww, jaster, mrogers, omoris, tis
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-15 19:02:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
IPsec data files. none

Description Jaroslav Aster 2016-02-19 22:15:58 UTC 
Description of problem:

Libreswan does not check crl files after start, respectively it does not print information about check into the log file. This is a different behaviour against libreswan on rhel-7.


Version-Release number of selected component (if applicable):

libreswan-3.15-5.1.el6


How reproducible:

100%

Steps to Reproduce:
1. Create directory /etc/ipsec.d/crls and put some crl file into it.
2. Start ipsec: service ipsec start.
3. Check there is loading message in pluto log file: grep 'loading crl file' /var/log/secure.

# grep 'loading crl file' /var/log/secure
<NOTHING>

# 

Actual results:

There is no loading message in pluto log file.

Expected results:

There is loading message in pluto log file.

Additional info:

The same test on rhel-7 on libreswan-3.15-5.el7_1.

# grep 'loading crl file' /var/log/secure
Feb 19 16:38:19 qeos-21 pluto[7150]:  loading crl file 'myca.crl' (436 bytes)
Comment 1 Tuomo Soini 2016-02-21 21:32:42 UTC 
I just did test this with latest libreswan git version running el6 based system:

Feb 21 23:28:10 omout pluto[1027]:   loading crl file 'foobar.crl' (4250 bytes)

I don't see any problem. Are you absolutely sure about testing? 

How about restorecon -Rv /etc/ipsec.d/crls and retry. If you copy the crl from home directory and you forget to reset selinux context it won't work.
Comment 2 Paul Wouters 2016-02-22 14:55:32 UTC 
The libreswan code in rhel6 and rhel7 is identical. So I would also guess that possibly there is a missing selinux policy update for rhel6?
Comment 3 Jaroslav Aster 2016-02-22 15:34:10 UTC 
I feel a little bit confused now, because the scenario, which i described, is not reproducible anymore, but my, much more complicated, test fails on rhel-6 and passes on rhel-7. It's needed more investigation. SELinux context is ok.
Comment 4 Paul Wouters 2016-02-22 16:45:49 UTC 
note that the initscripts and service file call ipsec checknss which handles importing CRL data from /etc/ipsec.d/crls/ but only when we are converting from the old nss db format to the new nss sql format.

Once convered, the /etc/ipsec.d/crls/ and /etc/ipsec.d/cacerts directories are ignored.
Comment 5 Tuomo Soini 2016-02-22 17:15:18 UTC 
Actually, all crls are being read from /etc/ipsec.d/crls/ on every startup. Libreswan doesn't use crls in /etc/ipsec.d/crls/ but imports them if there are any.
Comment 6 Paul Wouters 2016-02-22 18:41:27 UTC 
(In reply to Tuomo Soini from comment #5)
> Actually, all crls are being read from /etc/ipsec.d/crls/ on every startup.
> Libreswan doesn't use crls in /etc/ipsec.d/crls/ but imports them if there
> are any.

Not that I see. If you look at programs/ipsec/ipsec.in you will see the section of code at

    # import cacerts and crls

is inside the "check for old nss db" if statement
Comment 7 Tuomo Soini 2016-02-22 20:14:21 UTC 
Sure. Scripting does import of current crl files to nss db when database is converted. But after that pluto still reads crl files directly.
Comment 8 Paul Wouters 2016-02-23 16:10:54 UTC 
Tuomo and I are looking into this issue. It seems a more complicated bug.
Comment 9 Jaroslav Aster 2016-02-24 15:56:07 UTC 
Hi,

I did some tests and I have some results. I hope it will be useful for you.

My test creates an old version of db, so on start, ipsec --checknss is called and crl file myca.crl is imported into the new version of database. This is true for both versions, rhel-6 and rhel-7. Rhel-6's libreswan does not read myca.crl anymore, but rhel-7's libreswan still read this file everytime it is started and prints 'loading crl file myca.crl' into the log file. 

I attached ipsec files from my test. You can copy it into the right place and start ipsec.

# service ipsec stop
# tar zxvf ipsec_data.tar.gz
# cd ipsec_data
# rm -rf /etc/ipsec.*
# cp -apr * /etc/
# restorecon -Rv /etc/ipsec.*
# service ipsec start
# ipsec auto --listcrls
# grep 'loading crl' /var/log/secure

# service ipsec stop
# rm /etc/ipsec.d/crls/myca.crl
# service ipsec start
# grep 'loading crl' /var/log/secure

# service ipsec start
# cp ipsec.d/crls/myca.crl /etc/ipsec.d/crls/
# restorecon -Rv /etc/ipsec.*
# service ipsec start
# grep 'loading crl' /var/log/secure
Comment 10 Jaroslav Aster 2016-02-24 15:56:49 UTC 
Created attachment 1130248 [details]
IPsec data files.
Comment 11 Jaroslav Aster 2016-02-24 16:40:08 UTC 
Another issue. ipsec auto --rereadcrls does not work on rhel-6 (and rhel-7). It is marked as obsolete, but I think it still should work. At least it is confusing when 'loading crl' message is printed, but nothing is happen.

# ls /etc/ipsec.d/
cacerts  cert9.db  certs  crls  key4.db  nsspassword  nsspassword2.txt  nsspassword.txt  pkcs11.txt  policies  private  v6neighbor-hole.conf
# ls /etc/ipsec.d/crls/
myca.crl
# ipsec auto --listcrls
000  
000 List of CRLs:
# ipsec auto --rereadcrls
002   loading crl file 'myca.crl' (307 bytes)
# ipsec auto --listcrls
000  
000 List of CRLs:
Comment 13 Paul Wouters 2016-11-21 05:56:24 UTC 
Fixed with upstream commit

https://github.com/libreswan/libreswan/commit/52149be911e14dc3f89d8d0c1e0742954a35dbba
Comment 14 Paul Wouters 2017-01-17 20:35:17 UTC 
note you can see CRLs within NSS using:

crlutil -L -d sql:/etc/ipsec.d