[strongSwan-dev] Handling of CRL updates different between Vici and ipsec rereadcrls
michael.cole at cgi.com
Tue Nov 10 15:33:35 CET 2015
That is excellent, it sounds like exactly what we would like.
I'll patch a build and try it.
From: Tobias Brunner [mailto:tobias at strongswan.org]
Sent: 10 November 2015 14:27
To: Cole, Michael; dev at lists.strongswan.org
Subject: Re: [strongSwan-dev] Handling of CRL updates different between Vici and ipsec rereadcrls
> This works fine usually as strongswan appears to use the last loaded
> CRL as the one to check when a new IKE connection is requested.
Yes, the code in vici_cred.c is definitely not ideal. It adds a loaded CRL just like a regular certificate to the credential set, which means it just gets added to the front of the list of trusted certificates.
Instead, we should call add_crl(), which actually compares the CRL to already loaded ones (in the same credential set) and drops it if it was superseded.
I pushed a fix for this to the vici-load-cert-crl branch . Let me know if that works for you.
More information about the Dev