[strongSwan] Support of cRLDistributionPoints with a SEQUENCE of ***Multiple*** distributionPioint
Martin Willi
martin at strongswan.org
Wed Nov 14 11:57:24 CET 2012
Hi Mugur,
>
> Can you please confirm that Charon supports multiple
> distributionPoints (rfc5280) inside cRLDistributionPoints extension
> (therefore multiple HTTP URI for CRL files) ?
Yes, this is supported.
> If yes, then how Charon retrieves CRLs from these DPs function of
> strictcrlpolicy and function of the CRL files availability?
If no valid CRL information is available locally from the cache, charon
fetches CRLs from these URIs until it finds a valid up-to-date CRL. This
happens independently of any strictcrlpolicy setting.
If strictcrlpolicy is "yes" or "ifuri", the certificate is rejected if
fetching from all of the contained URIs did not yield a valid up-to-date
CRL.
Regards
Martin
More information about the Users
mailing list