[strongSwan] Strongswan does not removes CA Certificate from its internal objects (RAM) even after removing the certificate from cacerts directory or ca section.

Sajal Malhotra sajalmalhotra at gmail.com
Wed May 13 18:08:46 CEST 2015

Thanks Martin for a quick reply.
I was looking at link for patches that you shared however could not
identify which 6 patches include the fix as there are many patches
available on this link:




On May 13, 2015 3:17 PM, "Martin Willi" <martin at strongswan.org> wrote:

> Hi,
> > ca section1
> >         cacert=/usr/local/etc/ipsec.d/cacerts/CA.pem
> > 6. After removing this and executing "ipsec update" we expect that the
> > SA will not get established as the end which does not have root CA of
> > peer will reject the IKE_AUTH.
> All CA certificates placed under the cacerts directory get loaded
> implicitly. The ipsec.conf ca section is there to load CA certificates
> from other locations, or to define additional properties for that CA
> (refer to the ipsec.conf manpage for details).
> Further, CA certificate unloading was not supported until 5.3.0, see
> [1]. With that version, you can re/unload all CA certificates from the
> cacerts directory using the "ipsec reread" command, or use "ipsec
> update" to re/unload CA certificates referenced in ipsec.conf ca
> sections.
> Regards
> Martin
> [1]https://wiki.strongswan.org/issues/842
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150513/00ad7f67/attachment.html>

More information about the Users mailing list