[strongSwan] Strongswan does not removes CA Certificate from its internal objects (RAM) even after removing the certificate from cacerts directory or ca section.

Sajal Malhotra sajalmalhotra at gmail.com
Thu May 14 13:46:38 CEST 2015


Hi Martin,

Is it possible to share patch details that we can apply over v5.2?
I need changes that will re/unload CA certificates referenced in ipsec.conf
ca sections via "ipsec
update" command.

Using the link you shared I am not able to identify how to get to the
changed files of the 6 patches that you have mentioned in the link.


BR
Sajal

On Wed, May 13, 2015 at 9:38 PM, Sajal Malhotra <sajalmalhotra at gmail.com>
wrote:

> Thanks Martin for a quick reply.
> I was looking at link for patches that you shared however could not
> identify which 6 patches include the fix as there are many patches
> available on this link:
>
> http://git.strongswan.org/?p=strongswan.git;a=shortlog
>
>
> BR
>
> Sajal
>
>
>
> On May 13, 2015 3:17 PM, "Martin Willi" <martin at strongswan.org> wrote:
>
>> Hi,
>>
>> > ca section1
>> >         cacert=/usr/local/etc/ipsec.d/cacerts/CA.pem
>>
>> > 6. After removing this and executing "ipsec update" we expect that the
>> > SA will not get established as the end which does not have root CA of
>> > peer will reject the IKE_AUTH.
>>
>> All CA certificates placed under the cacerts directory get loaded
>> implicitly. The ipsec.conf ca section is there to load CA certificates
>> from other locations, or to define additional properties for that CA
>> (refer to the ipsec.conf manpage for details).
>>
>> Further, CA certificate unloading was not supported until 5.3.0, see
>> [1]. With that version, you can re/unload all CA certificates from the
>> cacerts directory using the "ipsec reread" command, or use "ipsec
>> update" to re/unload CA certificates referenced in ipsec.conf ca
>> sections.
>>
>> Regards
>> Martin
>>
>> [1]https://wiki.strongswan.org/issues/842
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150514/7e1607f3/attachment.html>


More information about the Users mailing list