[strongSwan] How does strongswan handle renewed or expired CRLs?
harald.dunkel at aixigo.com
Fri Apr 1 09:29:12 CEST 2022
How does strongswan handle renewed or expired CRLs?
Platform: 5.9.4 on Debian 11. Private CA. CRL distributed
Apparently certificate revocation lists have an expiration date. AFAIU
this is the maximum time a CRL should be cached.
I had revoked a few road-warrior certificates and put a new CRL on
my web server within this grace period, but strongswan refused to
check the URL for an update, as Apache's access.log shows. Even on
"ipsec rereadcrls" the new CRL was ignored. I had to restart
strongswan to make it use the new CRL. Is this as expected?
And a related question: Do I have to assume that all road-warrior
certificates become unusable, if the CRL mentioned in the certificates
More information about the Users