[strongSwan] Strongswan does not removes CA Certificate from its internal objects (RAM) even after removing the certificate from cacerts directory or ca section.
sajalmalhotra at gmail.com
Wed May 13 18:08:46 CEST 2015
Thanks Martin for a quick reply.
I was looking at link for patches that you shared however could not
identify which 6 patches include the fix as there are many patches
available on this link:
On May 13, 2015 3:17 PM, "Martin Willi" <martin at strongswan.org> wrote:
> > ca section1
> > cacert=/usr/local/etc/ipsec.d/cacerts/CA.pem
> > 6. After removing this and executing "ipsec update" we expect that the
> > SA will not get established as the end which does not have root CA of
> > peer will reject the IKE_AUTH.
> All CA certificates placed under the cacerts directory get loaded
> implicitly. The ipsec.conf ca section is there to load CA certificates
> from other locations, or to define additional properties for that CA
> (refer to the ipsec.conf manpage for details).
> Further, CA certificate unloading was not supported until 5.3.0, see
> . With that version, you can re/unload all CA certificates from the
> cacerts directory using the "ipsec reread" command, or use "ipsec
> update" to re/unload CA certificates referenced in ipsec.conf ca
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users