[strongSwan] CRL check: how to fail over to local CRL if fetch fails

Zach Cutlip uid000 at gmail.com
Wed Apr 19 19:49:37 CEST 2017

Is there a way to make CRL verification fail over to a local CRL if
fetching fails?

My client certificates are configured with an embedded CRL URL. I'm
finding that if charon is unable to fetch the CRL from the url
provided by the cert for some reason, CRL checking fails and
authentication continues. I've provided a local copy of the CRL in
/etc/ipsec.d, but it seems to never get checked.

I've verified the local CRL has been loaded; both from syslog entries
when the strongswan service is is started, and from 'ipsec listcrls'.


More information about the Users mailing list