[strongSwan] OCSP update dime
Modster, Anthony
Anthony.Modster at Teledyne.com
Wed Nov 6 22:31:03 CET 2019
Hello
? then what is Andreas referencing, below is the issue reported
https://wiki.strongswan.org/issues/568
Hi Jim,
the strongSwan IKE daemon will not try to fetch a fresh CRL before the nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints more quickly then you must either dramatically reduce the lifetime of a CRL e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) which will give you realtime information on the certificate status.
Andreas
-----Original Message-----
From: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting>
Sent: Wednesday, November 06, 2019 1:27 PM
To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] OCSP update dime
Hello,
The request doesn't really make sense.
There's no OCSP nextUpdate time, that's part of a CRL.
Kind regards
Noel
Am 06.11.19 um 00:03 schrieb Modster, Anthony:
> Hello
>
>
>
> ? what is the nextUpdate time
>
> ? is it configurable
>
>
>
> https://wiki.strongswan.org/issues/568
>
>
>
> Thanks
>
>
>
More information about the Users
mailing list