[strongSwan-dev] Handling of CRL updates different between Vici and ipsec rereadcrls

Tobias Brunner tobias at strongswan.org
Tue Nov 10 15:26:51 CET 2015

Hi Michael,

> This works fine usually as strongswan appears to use the last loaded CRL
> as the one to check when a new IKE connection is requested.

Yes, the code in vici_cred.c is definitely not ideal.  It adds a loaded
CRL just like a regular certificate to the credential set, which means
it just gets added to the front of the list of trusted certificates.
Instead, we should call add_crl(), which actually compares the CRL to
already loaded ones (in the same credential set) and drops it if it was

I pushed a fix for this to the vici-load-cert-crl branch [1].  Let me
know if that works for you.



More information about the Dev mailing list