[strongSwan] CRL check: how to fail over to local CRL if fetch fails

Tobias Brunner tobias at strongswan.org
Fri Apr 21 20:29:50 CEST 2017

Hi Zach,

> Why is the CRL loaded from /etc/ipsec.d/crls/, but not consulted?

It is either not valid or does not apply when verifying the validity of
the peer's certificate.  The lookup for cached CRLs is based on the
subjectKeyIdentifier in the issuer certificate - which must match the
authKeyIdentifier of the CRL - and then the cRLIssuer fields of any CDPs
in the certificate that's verified.

> Why is the curl plugin unable to fetch the local CRL from the file:/// uri?

You need a fetcher plugin that is capable of fetching such URIs.  As
Noel mentioned, the file plugin can do so (without external
dependencies), and the curl plugin can do so too, depending on whether
your build of libcurl supports it or not.


More information about the Users mailing list