[strongSwan] Strongswan does not removes CA Certificate from its internal objects (RAM) even after removing the certificate from cacerts directory or ca section.
sajalmalhotra at gmail.com
Thu May 14 13:46:38 CEST 2015
Is it possible to share patch details that we can apply over v5.2?
I need changes that will re/unload CA certificates referenced in ipsec.conf
ca sections via "ipsec
Using the link you shared I am not able to identify how to get to the
changed files of the 6 patches that you have mentioned in the link.
On Wed, May 13, 2015 at 9:38 PM, Sajal Malhotra <sajalmalhotra at gmail.com>
> Thanks Martin for a quick reply.
> I was looking at link for patches that you shared however could not
> identify which 6 patches include the fix as there are many patches
> available on this link:
> On May 13, 2015 3:17 PM, "Martin Willi" <martin at strongswan.org> wrote:
>> > ca section1
>> > cacert=/usr/local/etc/ipsec.d/cacerts/CA.pem
>> > 6. After removing this and executing "ipsec update" we expect that the
>> > SA will not get established as the end which does not have root CA of
>> > peer will reject the IKE_AUTH.
>> All CA certificates placed under the cacerts directory get loaded
>> implicitly. The ipsec.conf ca section is there to load CA certificates
>> from other locations, or to define additional properties for that CA
>> (refer to the ipsec.conf manpage for details).
>> Further, CA certificate unloading was not supported until 5.3.0, see
>> . With that version, you can re/unload all CA certificates from the
>> cacerts directory using the "ipsec reread" command, or use "ipsec
>> update" to re/unload CA certificates referenced in ipsec.conf ca
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users