[strongSwan] Support of cRLDistributionPoints with a SEQUENCE of ***Multiple*** distributionPioint

Martin Willi martin at strongswan.org
Wed Nov 14 11:57:24 CET 2012

Hi Mugur,
> Can you please confirm that Charon supports multiple
> distributionPoints (rfc5280) inside cRLDistributionPoints extension
> (therefore multiple HTTP URI for CRL files) ?

Yes, this is supported.

> If yes, then how Charon retrieves CRLs from these DPs function of
> strictcrlpolicy and function of the CRL files availability?

If no valid CRL information is available locally from the cache, charon
fetches CRLs from these URIs until it finds a valid up-to-date CRL. This
happens independently of any strictcrlpolicy setting.

If strictcrlpolicy is "yes" or "ifuri", the certificate is rejected if
fetching from all of the contained URIs did not yield a valid up-to-date


More information about the Users mailing list