Download raw body.
ikectl revoke: do not hardcode crl lifetime
On Wed, Nov 27, 2024 at 04:59:49PM GMT, Pascal Stumpf wrote:
> CRL lifetime is supposedly configurable via ikeca.cnf. However, the
> default "revoke" command in ikectl overrides this to 365 days.
>
> ok?
Looks correct, thanks! ok tobhe@
>
>
> Index: ikeca.c
> ===================================================================
> RCS file: /home/cvs/src/usr.sbin/ikectl/ikeca.c,v
> diff -u -p -r1.51 ikeca.c
> --- ikeca.c 23 Jan 2021 22:04:55 -0000 1.51
> +++ ikeca.c 25 Nov 2024 16:49:26 -0000
> @@ -1034,7 +1034,7 @@ ca_revoke(struct ca *ca, char *keyname)
> err(1, "%s: snprintf", __func__);
> char *cmd[] = { PATH_OPENSSL, "ca", "-config", ca->sslcnf,
> "-keyfile", cakey, "-passin", ca->passfile, "-gencrl",
> - "-cert", cacrt, "-crldays", "365", "-out", path, ca->batch, NULL };
> + "-cert", cacrt, "-out", path, ca->batch, NULL };
> ca_execv(cmd);
>
> return (0);
>
ikectl revoke: do not hardcode crl lifetime