#13 X509_V_ERR_UNABLE_TO_GET_CRL should not result in an error


In racoon - crypto_openssl.c:349 cb_check_cert()
(version 0.2.5) an error is returned if there is no
CRL. Imho this should not be the case; a warning would
be the right way of handling this, at least that's how
I read: http://www.ipsec-howto.org/x247.html Section
X.509 Certificates, where it says:
... "If the certificate additionally is to be checked
against a certificate revocation file (CRL) the CRL
must be stored in the same directory using a similar
linked hashed name" ...
The proposed fix would then of course be:
add "case X509_V_ERR_UNABLE_TO_GET_CRL:" in

PLEASE NOTE that I have absolutely no clue about IPsec,
so someone with more intimate knoledge of this specific
part of the software should check this. My conclusions
were drawn from simple debugging and 'grep'ing. If the
information above is not sufficient, please don't
hesitate to contact me. Thanks!



  • Michal Ludvig

    Michal Ludvig - 2004-04-09
    • assigned_to: nobody --> ludvigm
    • status: open --> closed-fixed
  • Michal Ludvig

    Michal Ludvig - 2004-04-09

    Logged In: YES

    You're right.
    I would better like to have it configurable in racoon.conf,
    but it appears to be difficult to pass parameters to the
    actual checking function. For now I have tested and comitted
    your proposal.



Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks