[strongSwan] charon and CRL loading

Modster, Anthony Anthony.Modster at Teledyne.com
Thu May 9 18:10:50 CEST 2019

Sorry (round 2)

Item 2, using "authorities section" "crl_uirs = fill:///xxx"
If the host does not have a CRL, then the "authorities section" will not be loaded by our host.

If a CRL comes in, then I think we would need to do the following:
1. create "authorities section" "crl_uirs = fill:///xxx" in swanctl.conf
2. --load-authorities 
3. --load-creds

-----Original Message-----
From: Users <users-bounces at lists.strongswan.org> On Behalf Of Tobias Brunner
Sent: Thursday, May 09, 2019 8:09 AM
To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
Cc: Amare, Mesfin <Mesfin.Amare at Teledyne.com>
Subject: Re: [strongSwan] charon and CRL loading

---External Email---

Hi Anthony,

> Item 1, if a new CRL is copied to the x509crl directory, "authorities 
> section" not configured, ? will charon automatically re-load the CRL

No, swanctl --load-creds has to be called explicitly.

> Item 2, if a new CRL is copied to the "assigned location", and 
> "authorities section" "crl_uirs = fill:///xxx", ? will charon 
> automatically re-load the CRL

Only if a previously fetched and cached version expired, or the cache has been flushed manually.


More information about the Users mailing list