[strongSwan-dev] Handling of CRL updates different between Vici and ipsec rereadcrls
Cole, Michael
michael.cole at cgi.com
Tue Nov 10 15:33:35 CET 2015
Hi Tobias
That is excellent, it sounds like exactly what we would like.
I'll patch a build and try it.
Many thanks
Mike
-----Original Message-----
From: Tobias Brunner [mailto:tobias at strongswan.org]
Sent: 10 November 2015 14:27
To: Cole, Michael; dev at lists.strongswan.org
Subject: Re: [strongSwan-dev] Handling of CRL updates different between Vici and ipsec rereadcrls
Hi Michael,
> This works fine usually as strongswan appears to use the last loaded
> CRL as the one to check when a new IKE connection is requested.
Yes, the code in vici_cred.c is definitely not ideal. It adds a loaded CRL just like a regular certificate to the credential set, which means it just gets added to the front of the list of trusted certificates.
Instead, we should call add_crl(), which actually compares the CRL to already loaded ones (in the same credential set) and drops it if it was superseded.
I pushed a fix for this to the vici-load-cert-crl branch [1]. Let me know if that works for you.
Regards,
Tobias
[1]
https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/vici-load-cert-crl
More information about the Dev
mailing list