This is something set up by upstream, and in big governments deployments it
could be seen as considered necessary/mandatory. IE - The ability to turn
it off may be considered an anti-feature and security hole... CRLs actually
have their weaknesses due to update issues when the network does not go...
IPSEC public keys in a DNSSEC signed DNS domain zone don't suffer like
this.
Have you considered setting up your own small CA, rather than using the
ones backed by Versign etc? This would significantly reduce the chain
length, and avoid exposure to a CA compromise. The package tinyca is the
one I use to generate my own CA and X509 certs for internal and VPN usage.
Its a Perl GTK application that wraps OpenSSL, and can have multiple CAs.
On Fri, Jan 20, 2012 at 5:31 AM, Jan Sievers <
siev...@kokosinseln.zedat.fu-berlin.de> wrote:
> Package: ipsec-tools
> Version: 1:0.7.3-12
> Severity: wishlist
> Tags: upstream
>
> Currently when configured to verify peer x509 certificates ("verify_cert
> on") this includes the
> verification of certificate revocation lists (CRL).
>
> Racoon sets the following OpenSSL flags:
>
>
> X509_V_FLAG_CRL_CHECK
> X509_V_FLAG_CRL_CHECK_ALL
>
>
> before asking OpenSSL to verify the certificate.
>
> This will produce warnings in the racoon log file, if the CRL lists are not
> present. This is especially annoying, if the certificates are part of a
> certificate chain, because for every certificate in the chain racoon will
> print this warning.
>
> I think it would be nice to have a configuration option like
>
>
> verify_crl [on|all|off]
>
>
> so I could let the certificates be verified, but either don't care about
> CRLs at all or just care about the actual peer certificate and not the
> intermediate CAs. If the intermediate CA certs get revoked, I would surely
> want to know, but do not want that our systems stop talking to each other
> right away.
>
> Regards,
> Jan
>
>
>
> -- System Information:
> Debian Release: 6.0.3
> APT prefers stable
> APT policy: (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
> Locale: LANG=C, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages ipsec-tools depends on:
> ii libc6 2.11.2-10 Embedded GNU C Library:
> Shared lib
> ii libcomerr2 1.41.12-4stable1 common error description
> library
> ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze5 MIT Kerberos runtime
> libraries - k
> ii libk5crypto3 1.8.3+dfsg-4squeeze5 MIT Kerberos runtime
> libraries - C
> ii libkrb5-3 1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries
> ii libpam0g 1.1.1-6.1+squeeze1 Pluggable Authentication
> Modules l
> ii libssl0.9.8 0.9.8o-4squeeze5 SSL shared libraries
>
> ipsec-tools recommends no packages.
>
> ipsec-tools suggests no packages.
>
> -- Configuration Files:
> /etc/init.d/setkey changed [not included]
> /etc/ipsec-tools.conf changed [not included]
>
> -- no debconf information
>
>
>
