Discussion:
IPSec crl
Fuchs, Martin
2011-08-17 20:54:52 UTC
Permalink
von unterwegs gesendet ...

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
Fuchs, Martin
2011-08-17 20:56:05 UTC
Permalink
Hi,
Does the IPSec config make use of crl's defined in the certified-Manager ?
I cannot See any references To used crl in the cert-Manager when a crl is d=
efined there, neither can i Chose a crl in the IPSec-config.=20
This is a Security-Risk i think, that should Be fixed 2.0 leaves the door =
or am i mistaken ?

Regards, Martin=
Jim Pingle
2011-08-17 21:55:16 UTC
Permalink
Post by Fuchs, Martin
Hi,
Does the IPSec config make use of crl's defined in the certified-Manager ?
I cannot See any references To used crl in the cert-Manager when a crl is d=
efined there, neither can i Chose a crl in the IPSec-config.=20
This is a Security-Risk i think, that should Be fixed 2.0 leaves the door =
or am i mistaken ?
The IPsec config doesn't currently hook into the CRLs from the system.
It's been discussed on the forum a bit.
http://forum.pfsense.org/index.php?topic=35872.0 is the thread I was
thinking of specifically. The way racoon wants the crl written out and
named wasn't very easy to work with.

It's not that dangerous to run without a CRL unless you need to revoke
access, then you can always just switch up the CA and certs for both
ends if it's custom.

Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Commercial support available - https://portal.pfsense.org
Fuchs, Martin
2011-08-21 20:39:26 UTC
Permalink
Hmmm, in larger setups it could be annoying, but perhaps there will be a solution one day ;-)

Perhaps to chose one crl, ipsec should use... ?

Regards,

martin

-----Ursprüngliche Nachricht-----
Von: Jim Pingle [mailto:***@pingle.org]
Gesendet: Mittwoch, 17. August 2011 23:55
An: ***@pfsense.com
Betreff: Re: [pfSense Support] IPSec crl
Post by Fuchs, Martin
Hi,
Does the IPSec config make use of crl's defined in the certified-Manager ?
I cannot See any references To used crl in the cert-Manager when a crl
is d= efined there, neither can i Chose a crl in the IPSec-config.=20
This is a Security-Risk i think, that should Be fixed 2.0 leaves the
door = or am i mistaken ?
The IPsec config doesn't currently hook into the CRLs from the system.
It's been discussed on the forum a bit.
http://forum.pfsense.org/index.php?topic=35872.0 is the thread I was thinking of specifically. The way racoon wants the crl written out and named wasn't very easy to work with.

It's not that dangerous to run without a CRL unless you need to revoke access, then you can always just switch up the CA and certs for both ends if it's custom.

Jim

---------------------------------------------------------------------
To unsubscribe, e-mail: support-***@pfsense.com For additional commands, e-mail: support-***@pfsense.com

Commercial support available

Loading...