[strongSwan] OCSP update dime

Modster, Anthony Anthony.Modster at Teledyne.com
Wed Nov 6 22:31:03 CET 2019


Hello
? then what is Andreas referencing, below is the issue reported
https://wiki.strongswan.org/issues/568 

Hi Jim,

the strongSwan IKE daemon will not try to fetch a fresh CRL before the nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints more quickly then you must either dramatically reduce the lifetime of a CRL e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) which will give you realtime information on the certificate status.

Andreas

-----Original Message-----
From: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> 
Sent: Wednesday, November 06, 2019 1:27 PM
To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] OCSP update dime

Hello,

The request doesn't really make sense.
There's no OCSP nextUpdate time, that's part of a CRL.

Kind regards

Noel

Am 06.11.19 um 00:03 schrieb Modster, Anthony:
> Hello
> 
>  
> 
> ? what is the nextUpdate time
> 
> ? is it configurable
> 
>  
> 
> https://wiki.strongswan.org/issues/568
> 
>  
> 
> Thanks
> 
>  
> 



More information about the Users mailing list