[strongSwan] crlcheckinterval in charon

Andreas Steffen andreas.steffen at strongswan.org
Sat Feb 9 08:33:10 CET 2013


Hi,

crlcheckinterval is not needed anymore because charon has several
worker threads. If a certificate has to be checked for revocation,
the thread responsible for a given IKE connection just blocks
the current IKE processing and fetches a fresh CRL via http: or
ldap: if necessary. After the file has been downloaded which can
take a couple of seconds but usually does not cause a retransmission
by the peer, the IKE processing for the given connection is resumed.

Pluto only had a single worker thread for all IKE connections
plus a second thread for CRL fetching. Therefore pro-active CRL
fetching using the crlcheckinterval had to be implemented.

Regards

Andreas

On 02/09/2013 12:41 AM, kgardenia42 wrote:
> Hi,
> 
> I notice that crlcheckinterval is not included in strongswan 5.x.  Is
> this just a case of it not having been implemented yet or has the
> feature been deliberately removed?
> 
> If the latter then what is the expected way to "poll" a crluri to
> check for modifications?  I know about OCSP but the realtime check is
> too expensive in my situation so the static file with periodic check
> is ideal.
> 
> I suppose I could replicate my own version home-grown of
> "crlcheckinterval" by having a cron/agent do an If-Modified-Since
> check on the CRL URL every so often and somehow tell charon to re-read
> the list if it is modified.  But that is extra moving parts I'd
> ideally like to avoid.
> 
> Alternatively, is there any command-line mechanism to tell charon to
> re-read the crluri?  If that exists then I could just have a cron
> which periodically tells charon to re-check it.
> 
> Thanks.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130209/d924641d/attachment.bin>


More information about the Users mailing list