[strongSwan] OCSP and CRL

Mina Jafari ai.minajafari at gmail.com
Mon Dec 14 21:25:19 CET 2015

Hi all,
I have some questions about applying OCSP and CRL to check status of
If a certificate is revoked after OCSP's response is sent to client and the
connection is established, then how such senario is managed using OCSP?
I tried some senarios like this, I expect that due to next update of
fetched response, the new response be fetched, but in the log I can see it
says OCSP response is stale, but still no new response is fetched! It has
cached the old response and it does not refresh it, I thought it will
refresh it in every rekey!
Another senario is that: I use CRLs which are located in ipsec.d/crls, I
add a fresh CRL to this directory I thought it would be replaced with the
old one at rekey or when the remote peer restart its ipsec. But it is
replaced just when the local side restarts ipsec. I even tried "ipsec
rereadcrls" but no effect.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151214/eeb6d33e/attachment.html>

More information about the Users mailing list