[strongSwan-dev] Authorize hook called even if CRL is expired

Tobias Brunner tobias at strongswan.org
Mon Aug 28 14:30:49 CEST 2017

Hi Emeric,

> The problem is that our custom authorize hook is called (whith final = FALSE) even if the CRL is expired:

Yes, it's called after each authentication round and before the
constraints check that rejects the SA due to the missing CRL validation.
 That may allow listeners to modify the current auth_cfg and add or
override certain things before the constraints checks.

> As a workaround, how could we check the CRL validation status in our custom plugin during the authorize hook?

You can get the current remote auth_cfg from the IKE_SA and look if you
have any RULE_CRL_VALIDATION and if so what value it has.


More information about the Dev mailing list