/testing/guestbin/swan-prep --nokeys
Creating empty NSS database
west #
 /testing/x509/import.sh real/mainca/west.p12
 ipsec pk12util -w nss-pw -i real/mainca/west.p12
pk12util: PKCS12 IMPORT SUCCESSFUL
 ipsec certutil -M -n mainca -t CT,,
 ipsec certutil -O -n west
"mainca" [E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
  "west" [E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
west #
 /testing/x509/import.sh real/mainca/nic.end.cert
 ipsec certutil -A -n nic -t P,, -i real/mainca/nic.end.cert
 ipsec certutil -O -n nic
"mainca" [E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
  "nic" [E=user-nic@testing.libreswan.org,CN=nic.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
west #
 /testing/x509/import.sh real/mainca/crl-is-out-of-date.crl
 ipsec crlutil -I -i real/mainca/crl-is-out-of-date.crl
west #
 ipsec certutil -L
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west                                                         u,u,u
mainca                                                       CT,, 
nic                                                          P,,  
west #
 # need to pass impair into pluto
west #
 ipsec pluto --config /etc/ipsec.conf --leak-detective --impair event_check_crls
ipsec pluto: impair: event_check_crls: no -> yes
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec whack --impair suppress_retransmits
west #
 ipsec whack --impair revival
west #
 ipsec add nss-cert-crl
"nss-cert-crl": added IKEv1 connection
west #
 # Try to establish, it will fail because the CRL list is out-of-date.
west #
 # Since crl-strict=true, a fetch of CRLs is initiated (or would be if
west #
 # it weren't impaired).
west #
 ipsec up nss-cert-crl
"nss-cert-crl" #1: initiating IKEv1 Main Mode connection
"nss-cert-crl" #1: sent Main Mode request
"nss-cert-crl" #1: sent Main Mode I2
"nss-cert-crl" #1: I am sending my cert
"nss-cert-crl" #1: I am sending a certificate request
"nss-cert-crl" #1: sent Main Mode I3
"nss-cert-crl" #1: NSS: ERROR: IPsec certificate E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA invalid: SEC_ERROR_REVOKED_CERTIFICATE: Peer's Certificate has been revoked.
"nss-cert-crl" #1: X509: certificate rejected for this connection
"nss-cert-crl" #1: X509: CERT payload bogus or revoked
"nss-cert-crl" #1: sending encrypted notification INVALID_ID_INFORMATION to 192.1.2.23:500
"nss-cert-crl" #1: STATE_MAIN_I3: 15 second timeout exceeded after 0 retransmits.  Possible authentication failure: no acceptable response to our first encrypted message
"nss-cert-crl" #1: connection is supposed to remain up; revival attempt 1 scheduled in 0 seconds
"nss-cert-crl" #1: IMPAIR: revival: skip scheduling revival event
"nss-cert-crl" #1: deleting ISAKMP SA (MAIN_I3) and NOT sending notification
west #
 # check there's a pending CRL; fetch it and confirm it has cleared
west #
 ipsec listcrls
 
List of CRLs:
 
issuer: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org
revoked certs: 1
updates: this TIMESTAMP
         next TIMESTAMP
west #
 ipsec fetchcrls
CRL: imported CRL 'http://nic.testing.libreswan.org/revoked.crl' signed by 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' after 1 attempt(s)
west #
 ipsec listcrls
 
List of CRLs:
 
issuer: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org
revoked certs: 1
updates: this TIMESTAMP
         next TIMESTAMP
west #
 # finally trigger the revival; will re-fail but this time because the
west #
 # cert is revoked.
west #
 ipsec whack --impair trigger_revival:1
"nss-cert-crl": IMPAIR: dispatch REVIVAL; attempt 1 next in 5s; timeout IKE SA
"nss-cert-crl": reviving connection which timeout IKE SA but must remain up per local policy (serial $1)
"nss-cert-crl" #2: initiating IKEv1 Main Mode connection
"nss-cert-crl" #2: sent Main Mode request
"nss-cert-crl" #2: sent Main Mode I2
"nss-cert-crl" #2: I am sending my cert
"nss-cert-crl" #2: I am sending a certificate request
"nss-cert-crl" #2: sent Main Mode I3
"nss-cert-crl" #2: NSS: ERROR: IPsec certificate E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA invalid: SEC_ERROR_REVOKED_CERTIFICATE: Peer's Certificate has been revoked.
"nss-cert-crl" #2: X509: certificate rejected for this connection
"nss-cert-crl" #2: X509: CERT payload bogus or revoked
"nss-cert-crl" #2: sending encrypted notification INVALID_ID_INFORMATION to 192.1.2.23:500
"nss-cert-crl" #2: STATE_MAIN_I3: 15 second timeout exceeded after 0 retransmits.  Possible authentication failure: no acceptable response to our first encrypted message
"nss-cert-crl" #2: connection is supposed to remain up; revival attempt 2 scheduled in 5 seconds
"nss-cert-crl" #2: IMPAIR: revival: skip scheduling revival event
"nss-cert-crl" #2: deleting ISAKMP SA (MAIN_I3) and NOT sending notification
west #
 test -r /tmp/pluto.log && grep -e '^[^|].*ERROR' /tmp/pluto.log
"nss-cert-crl" #1: NSS: ERROR: IPsec certificate E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA invalid: SEC_ERROR_REVOKED_CERTIFICATE: Peer's Certificate has been revoked.
"nss-cert-crl" #2: NSS: ERROR: IPsec certificate E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA invalid: SEC_ERROR_REVOKED_CERTIFICATE: Peer's Certificate has been revoked.
west #
 test -r /tmp/pluto.log && ipsec crlutil -L
CRL names                                CRL Type
mainca                                   CRL  
west #
