[strongSwan] CRL check: how to fail over to local CRL if fetch fails
Zach Cutlip
uid000 at gmail.com
Thu Apr 20 20:15:39 CEST 2017
Alternatively, is there a way to just ignore embedded CRL distribution
points, and always use the local CRL?
On Wed, Apr 19, 2017 at 10:49 AM, Zach Cutlip <uid000 at gmail.com> wrote:
> Is there a way to make CRL verification fail over to a local CRL if
> fetching fails?
>
> My client certificates are configured with an embedded CRL URL. I'm
> finding that if charon is unable to fetch the CRL from the url
> provided by the cert for some reason, CRL checking fails and
> authentication continues. I've provided a local copy of the CRL in
> /etc/ipsec.d, but it seems to never get checked.
>
> I've verified the local CRL has been loaded; both from syslog entries
> when the strongswan service is is started, and from 'ipsec listcrls'.
>
> Thanks,
> Zach
More information about the Users
mailing list