[strongSwan] charon and CRL loading

Modster, Anthony Anthony.Modster at Teledyne.com
Thu May 9 19:48:06 CEST 2019


-----Original Message-----
From: Tobias Brunner <tobias at strongswan.org> 
Sent: Thursday, May 09, 2019 9:26 AM
To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
Cc: Amare, Mesfin <Mesfin.Amare at Teledyne.com>
Subject: Re: [strongSwan] charon and CRL loading

---External Email---

Hi Anthony,
> If a CRL comes in, then I think we would need to do the following:
> 1. create "authorities section" "crl_uirs = fill:///xxx" in 
> swanctl.conf 2. --load-authorities 3. --load-creds

You don't need step 3 if you use file URIs, the CRL is fetched dynamically during authentication (if you update the CRL, while the old one is still valid for a while, you need to flush the cache, as pointed out before).  And if you, alternatively, store the CRL in x509crl then you only need step 3 (and, again, perhaps flush the cache).


More information about the Users mailing list