From: Pascal Stumpf <pascal@stumpf.co>
Subject: ikectl revoke: do not hardcode crl lifetime
To: tech@openbsd.org
Date: Wed, 27 Nov 2024 16:59:49 +0100

CRL lifetime is supposedly configurable via ikeca.cnf.  However, the
default "revoke" command in ikectl overrides this to 365 days.

ok?


Index: ikeca.c
===================================================================
RCS file: /home/cvs/src/usr.sbin/ikectl/ikeca.c,v
diff -u -p -r1.51 ikeca.c
--- ikeca.c	23 Jan 2021 22:04:55 -0000	1.51
+++ ikeca.c	25 Nov 2024 16:49:26 -0000
@@ -1034,7 +1034,7 @@ ca_revoke(struct ca *ca, char *keyname)
 		err(1, "%s: snprintf", __func__);
 	char *cmd[] = { PATH_OPENSSL, "ca", "-config", ca->sslcnf,
 	    "-keyfile", cakey, "-passin", ca->passfile, "-gencrl",
-	    "-cert", cacrt, "-crldays", "365", "-out", path, ca->batch, NULL };
+	    "-cert", cacrt, "-out", path, ca->batch, NULL };
 	ca_execv(cmd);
 
 	return (0);