[strongSwan] How to disable 'CRL' in strongswan.conf?
Yong Choo
yhc at alcatel-lucent.com
Tue Jan 10 13:47:35 CET 2012
Thanks Much! Yes it would be sufficient for 'dynamic purpose' in our
situation!
So to be sure:
charon {
...
load = revocation
} --> charon would load the 'revocation' plugin
charon {
...
} --> charon would NOT load the 'revocation' plugin
Correct?
ps.
The statement in the release note was what got me confused, i.e. I
thought that without 'load', the statement led me to believe that the
revocation plugin is automatically loaded in :)
_"OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
enabled by default."_
-Yong Choo
On 1/9/2012 10:43 PM, Andreas Steffen wrote:
> Hello Yong Choo,
>
> you can do that with an explicit load statement in strongswan.conf.
>
> Just prepare two versions of strongswan.conf - one with the
> revocation plugin in the load statement and one without it.
> Depending on the situation you either start strongSwan with
> one strongswan.conf or the second one. Is this dynamical enough?
>
> Regards
>
> Andreas
>
> On 09.01.2012 20:59, Yong Choo wrote:
>> Searching in database, I came up on the following in
>> http://www.mail-archive.com/users@lists.strongswan.org/msg03918.html
>> So, the question is 'how not to load the revocation plugin when it is
>> already enabled by default?'
>>
>> -----Original Message-----
>> From: Andreas Steffen [mailto:andreas.stef... at strongswan.org]
>> Sent: jeudi 24 novembre 2011 12:51
>> To: ABULIUS, MUGUR (MUGUR)
>> Cc: users at lists.strongswan.org; SCARAZZINI, FABRICE (FABRICE); Pisano, Stephen
>> G (Stephen); WASNIEWSKI, ALAIN (ALAIN)
>> Subject: Re: [strongSwan] How to bypass CRL checks?
>>
>> Hello Mugur,
>>
>> with IKEv2 revocation checks can be easily disabled by not loading the
>> revocation plugin. What is not possible is to disable CRL checking on a per
>> connection definition basis.
>>
>> Regards
>>
>> Andreas
>>
>>
>>
>> On 1/9/2012 12:30 PM, Yong Choo wrote:
>>> Hi,
>>> Looking at http://wiki.strongswan.org/projects/1/wiki/441,
>>> OCSP/CRL checking in IKEv2 has been moved to the revocation plugin,
>>> enabled
>>> by default. Plase update manual load directives in strongswan.conf.
>>>
>>> How can I disable this plugin dynamically? We have a need of
>>> dynamically controlling the loading of plugin at run-time.
>>>
>>> Thanks Much,
>>> -Yong Choo
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120110/e576ed79/attachment.html>
More information about the Users
mailing list