Bug#656474: ipsec-tools: racoon: Make verification of x509 CRLs optional

Thu, 19 Jan 2012 08:33:19 -0800 

Package: ipsec-tools
Version: 1:0.7.3-12
Severity: wishlist
Tags: upstream

Currently when configured to verify peer x509 certificates ("verify_cert on") 
this includes the
verification of certificate revocation lists (CRL).

Racoon sets the following OpenSSL flags:


        X509_V_FLAG_CRL_CHECK
        X509_V_FLAG_CRL_CHECK_ALL


before asking OpenSSL to verify the certificate.

This will produce warnings in the racoon log file, if the CRL lists are not
present. This is especially annoying, if the certificates are part of a
certificate chain, because for every certificate in the chain racoon will
print this warning.

I think it would be nice to have a configuration option like


        verify_crl [on|all|off]


so I could let the certificates be verified, but either don't care about
CRLs at all or just care about the actual peer certificate and not the
intermediate CAs. If the intermediate CA certs get revoked, I would surely
want to know, but do not want that our systems stop talking to each other
right away.

Regards,
Jan



-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/dash

Versions of packages ipsec-tools depends on:
ii  libc6               2.11.2-10            Embedded GNU C Library: Shared lib
ii  libcomerr2          1.41.12-4stable1     common error description library
ii  libgssapi-krb5-2    1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - k
ii  libk5crypto3        1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - C
ii  libkrb5-3           1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries
ii  libpam0g            1.1.1-6.1+squeeze1   Pluggable Authentication Modules l
ii  libssl0.9.8         0.9.8o-4squeeze5     SSL shared libraries

ipsec-tools recommends no packages.

ipsec-tools suggests no packages.

-- Configuration Files:
/etc/init.d/setkey changed [not included]
/etc/ipsec-tools.conf changed [not included]

-- no debconf information



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to