[strongSwan-dev] Authorize hook called even if CRL is expired
Tobias Brunner
tobias at strongswan.org
Mon Aug 28 14:30:49 CEST 2017
Hi Emeric,
> The problem is that our custom authorize hook is called (whith final = FALSE) even if the CRL is expired:
Yes, it's called after each authentication round and before the
constraints check that rejects the SA due to the missing CRL validation.
That may allow listeners to modify the current auth_cfg and add or
override certain things before the constraints checks.
> As a workaround, how could we check the CRL validation status in our custom plugin during the authorize hook?
You can get the current remote auth_cfg from the IKE_SA and look if you
have any RULE_CRL_VALIDATION and if so what value it has.
Regards,
Tobias
More information about the Dev
mailing list