[strongSwan] How does strongswan handle renewed or expired CRLs?

Harald Dunkel harald.dunkel at aixigo.com
Fri Apr 1 09:29:12 CEST 2022


TL,DR:
How does strongswan handle renewed or expired CRLs?
Platform: 5.9.4 on Debian 11. Private CA. CRL distributed
via http.


Hi folks,

Apparently certificate revocation lists have an expiration date. AFAIU
this is the maximum time a CRL should be cached.

I had revoked a few road-warrior certificates and put a new CRL on
my web server within this grace period, but strongswan refused to
check the URL for an update, as Apache's access.log shows. Even on
"ipsec rereadcrls" the new CRL was ignored. I had to restart
strongswan to make it use the new CRL. Is this as expected?

And a related question: Do I have to assume that all road-warrior
certificates become unusable, if the CRL mentioned in the certificates
expires?


Regards

Harri


More information about the Users mailing list