[strongSwan-dev] Handling of CRL updates different between Vici and ipsec rereadcrls
tobias at strongswan.org
Tue Nov 10 15:26:51 CET 2015
> This works fine usually as strongswan appears to use the last loaded CRL
> as the one to check when a new IKE connection is requested.
Yes, the code in vici_cred.c is definitely not ideal. It adds a loaded
CRL just like a regular certificate to the credential set, which means
it just gets added to the front of the list of trusted certificates.
Instead, we should call add_crl(), which actually compares the CRL to
already loaded ones (in the same credential set) and drops it if it was
I pushed a fix for this to the vici-load-cert-crl branch . Let me
know if that works for you.
More information about the Dev