[strongSwan-dev] Handling of CRL updates different between Vici and ipsec rereadcrls
Tobias Brunner
tobias at strongswan.org
Tue Nov 10 15:26:51 CET 2015
Hi Michael,
> This works fine usually as strongswan appears to use the last loaded CRL
> as the one to check when a new IKE connection is requested.
Yes, the code in vici_cred.c is definitely not ideal. It adds a loaded
CRL just like a regular certificate to the credential set, which means
it just gets added to the front of the list of trusted certificates.
Instead, we should call add_crl(), which actually compares the CRL to
already loaded ones (in the same credential set) and drops it if it was
superseded.
I pushed a fix for this to the vici-load-cert-crl branch [1]. Let me
know if that works for you.
Regards,
Tobias
[1]
https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/vici-load-cert-crl
More information about the Dev
mailing list