[strongSwan] CRL check: how to fail over to local CRL if fetch fails
Zach Cutlip
uid000 at gmail.com
Wed Apr 19 19:49:37 CEST 2017
Is there a way to make CRL verification fail over to a local CRL if
fetching fails?
My client certificates are configured with an embedded CRL URL. I'm
finding that if charon is unable to fetch the CRL from the url
provided by the cert for some reason, CRL checking fails and
authentication continues. I've provided a local copy of the CRL in
/etc/ipsec.d, but it seems to never get checked.
I've verified the local CRL has been loaded; both from syslog entries
when the strongswan service is is started, and from 'ipsec listcrls'.
Thanks,
Zach
More information about the Users
mailing list