[strongSwan] Reason for certificate rejects

Martin Willi martin at strongswan.org
Fri Nov 18 14:48:40 CET 2011

Hello Mugur,
> There is any way to inform an application about an authentication
> failure due to a certificate rejected by the CRL (or inability to
> fetch the CRL)? 

Revocation reasons are currently logged only. Extending the revocation
plugin to store revocation reasons is not that hard, we could save this
information on the resulting auth_cfg_t. Then you could access these
bits from any plugin and do whatever you want with it, for example send
it to an external application.

> There are some specific variables in the updown script specifying the
> exact rejection reason?

No, the updown script does not have this information.


More information about the Users mailing list