On 11/28, Paul Wouters ? wrote: > On Fri, 28 Nov 2014, Matt Rogers wrote: > > (moved discussion to swan-dev) > > >>The intent was that the signature made by the CAcert over the CRL was > >>either not yet valid or expired. This is unrelated to the content of the > >>CRL. > >> > >The signature being expired? Do you mean a scenario where the CRL is signed > >by an old CA key (i.e. it got reissued but the CA attributes stay the same)? > > build@bofh:~/libreswan/testing/x509/crls (master *)$ openssl crl -in > cacrlnotyetvalid.pem -noout -text > > Certificate Revocation List (CRL): > Version 1 (0x0) > Signature Algorithm: md5WithRSAEncryption > Issuer: /C=ca/ST=Ontario/L=Toronto/O=Libreswan/OU=Test > Department/CN=Libreswan test CA for > mainca/emailAddress=test...@libreswan.org > Last Update: Sep 29 21:55:50 2014 GMT > Next Update: Oct 29 21:55:50 2014 GMT > No Revoked Certificates. > Signature Algorithm: md5WithRSAEncryption > 3c:bc:29:67:e9:1e:ee:55:d4:18:9e:69:25:a6:a3:54:b6:3e: > 93:28:6b:43:44:f1:1e:a1:0d:14:24:c6:2f:f8:6b:14:c4:5d: > 9d:f0:b3:47:e6:c6:32:5e:fe:cb:53:f3:2b:dd:d1:09:70:7f: > b9:00:fb:8b:9e:40:1f:b5:a5:ff:93:fe:81:e7:30:66:06:64: > e9:1b:d4:38:11:4b:31:20:e8:8f:83:e0:06:1a:ed:20:d3:df: > 20:c9:8b:96:2e:8d:84:54:87:34:1c:ed:75:6a:75:e8:4b:00: > 67:01:d1:c3:f7:e9:69:3e:6e:fc:ff:94:08:b1:f1:88:02:19: > e9:87 > > Note the "Next Update". When this crl file is used after this time it is > "expired". >
Ahh, yes that's what the needupdate crl will cover. By setting the CRL period to 0 days, Last Update and Next Update are both the creation timestamp, so by the time you run the test Next Update is past due and will need a fetch. Thanks, Matt > >That should be doable. There's also the "otherca" crl that's signed by a > >different CA and should result in a failed verification. > > Yes, I assumed you had that one already :) > > Paul _______________________________________________ Swan-dev mailing list Swan-dev@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan-dev