Bug 1416144 - libreswan needs to check intermediate CRLs in strict mode - but after validating subCA against root CA (and its CRL)
Summary: libreswan needs to check intermediate CRLs in strict mode - but after validat...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libreswan
Version: 7.4
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Paul Wouters
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Depends On: 1360134 1416143
Blocks: 1269194 1420851
TreeView+ depends on / blocked
 
Reported: 2017-01-24 16:51 UTC by Paul Wouters
Modified: 2020-09-10 10:09 UTC (History)
9 users (show)

Fixed In Version: 3.20-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1416143
Environment:
Last Closed: 2017-08-01 12:31:06 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2101 0 normal SHIPPED_LIVE libreswan bug fix and enhancement update 2017-08-01 16:07:26 UTC

Comment 2 Paul Wouters 2017-04-21 04:25:03 UTC
this change came in with rebase, as it was fixed upstream in 3.19

Comment 3 Paul Wouters 2017-04-21 04:29:35 UTC
Related upstream testcases at 

https://github.com/libreswan/libreswan/tree/master/testing/pluto

nss-cert-chain-01
nss-cert-chain-01-ikev2
nss-cert-chain-02
nss-cert-chain-02-ikev2
nss-cert-chain-03
nss-cert-chain-03-ikev2
nss-cert-chain-04
nss-cert-chain-04-ikev2
nss-cert-ocsp-01-chain

It requires specially generates certificates. You can use the usptream script: 
https://github.com/libreswan/libreswan/blob/master/testing/x509/dist_certs.py

Comment 5 Ondrej Moriš 2017-06-23 10:03:39 UTC
Verified SanityOnly.

Comment 6 errata-xmlrpc 2017-08-01 12:31:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2101


Note You need to log in before you can comment on or make changes to this bug.