[strongSwan] CRLs over IPsec tunnels

ABULIUS, MUGUR (MUGUR) mugur.abulius at alcatel-lucent.com
Wed Nov 7 09:02:29 CET 2012

 Hi Martin,

> Fetching a CRL inside the tunnel to check the certificate status
> for the same tunnel does not work: it is a hen-egg problem. With
> a strict CRL policy, you can't establish the tunnel, because you
> have no CRL. And you can't fetch a CRL, because you don't have a tunnel yet.

In case CRLs are retrieved outside this tunnel, can you please
confirm that:

1)Charon HTTP requests use the protocol and port from "/etc/services" (e.g. TCP/80)?
2)Charon supports the rfc3986 - Uniform Resource Identifier (URI): Generic Syntax?

Best Regards


More information about the Users mailing list