[strongSwan] How to bypass CRL checks?

ABULIUS, MUGUR (MUGUR) mugur.abulius at alcatel-lucent.com
Thu Nov 24 13:06:13 CET 2011

Hello Stephen,

Thanks again.

I have seen at http://wiki.strongswan.org/projects/strongswan/wiki/Autoconf
that plug-ins are specified at strongSwan binary creation (./configure).

There is any way when strongSwan is load to make the choice of plug-ins to load
(e.g. revocation).

Which is the best strongSwan deployment policy when some runs need the
revocation plug-in and some other runs do not need the plug-in.

Context: Charon under Linux

Best Regards

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: jeudi 24 novembre 2011 12:51
Cc: users at lists.strongswan.org; SCARAZZINI, FABRICE (FABRICE); Pisano, Stephen G (Stephen); WASNIEWSKI, ALAIN (ALAIN)
Subject: Re: [strongSwan] How to bypass CRL checks?

Hello Mugur,

with IKEv2 revocation checks can be easily disabled by not loading the revocation plugin. What is not possible is to disable CRL checking on a per connection definition basis.



On 11/24/2011 08:50 AM, ABULIUS, MUGUR (MUGUR) wrote:
> Hello,
> Our understanding in case of setting strictcrlpolicy to **no** for 
> charon is that strongSwan denies the authentication if the certificate 
> appears in the fetched CRL. But, if the certificate does not specify 
> an uri or if the CRL can't be fetched the authentication is not 
> denied.
> Can you please check our understanding?
> In case our assumption is correct we are looking for a way to set-up 
> strongSwan (for some specific run scenarios) to bypass any CRL checks 
> (even if strictcrlpolicy=no). We are looking for this capability even 
> if received certificates specify an uri and the corresponding CRL can 
> be fetched from CDP.
> Thank you
> Mugur

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==

More information about the Users mailing list