[strongSwan] CRL check: how to fail over to local CRL if fetch fails

Zach Cutlip uid000 at gmail.com
Thu Apr 20 20:15:39 CEST 2017

Alternatively, is there a way to just ignore embedded CRL distribution
points, and always use the local CRL?

On Wed, Apr 19, 2017 at 10:49 AM, Zach Cutlip <uid000 at gmail.com> wrote:
> Is there a way to make CRL verification fail over to a local CRL if
> fetching fails?
> My client certificates are configured with an embedded CRL URL. I'm
> finding that if charon is unable to fetch the CRL from the url
> provided by the cert for some reason, CRL checking fails and
> authentication continues. I've provided a local copy of the CRL in
> /etc/ipsec.d, but it seems to never get checked.
> I've verified the local CRL has been loaded; both from syslog entries
> when the strongswan service is is started, and from 'ipsec listcrls'.
> Thanks,
> Zach

More information about the Users mailing list