In racoon - crypto_openssl.c:349 cb_check_cert()
(version 0.2.5) an error is returned if there is no
CRL. Imho this should not be the case; a warning would
be the right way of handling this, at least that's how
I read: http://www.ipsec-howto.org/x247.html Section
X.509 Certificates, where it says:
... "If the certificate additionally is to be checked
against a certificate revocation file (CRL) the CRL
must be stored in the same directory using a similar
linked hashed name" ...
The proposed fix would then of course be:
add "case X509_V_ERR_UNABLE_TO_GET_CRL:" in
PLEASE NOTE that I have absolutely no clue about IPsec,
so someone with more intimate knoledge of this specific
part of the software should check this. My conclusions
were drawn from simple debugging and 'grep'ing. If the
information above is not sufficient, please don't
hesitate to contact me. Thanks!
Log in to post a comment.