[strongSwan-dev] [PATCH 1/2] Check start date when evaluating validity of CRL

Andreas Steffen andreas.steffen at strongswan.org
Mon Mar 5 20:45:46 CET 2012

Hello Thomas,

I'm not sure. "thisUpdate" for CRLs is not the same as "notBefore"
for certificates. In my opinion "thisUpdate" should be the date
the CRL was released and if this date lies in the future then probably
the NTP time synchronisation went wrong. If we know that a given
certificate is going to be revoked in 10 minutes time then we
should heed this advice. This is why I omitted a "thisUpdate" check
on purpose since the "thisUpdate" date is merely informational and
should only help in selecting the most recent CRL if a version 2
crlNumber is not available.

Kind Regards


On 05.03.2012 18:40, Thomas Egerer wrote:
> ---
> Hello *,
> shouldn't CRLs with a validity starting date in the future, be
> revoked?
> Cheers,
> Thomas
>  src/libstrongswan/plugins/openssl/openssl_crl.c |    2 +-
>  src/libstrongswan/plugins/x509/x509_crl.c       |    2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120305/5c25dca7/attachment.bin>

More information about the Dev mailing list