[strongSwan] How does strongswan handle renewed or expired CRLs?
Tobias Brunner
tobias at strongswan.org
Fri Apr 1 12:05:38 CEST 2022
Hi Harri,
> Apparently certificate revocation lists have an expiration date. AFAIU
> this is the maximum time a CRL should be cached.
Technically, it's the date by which the next CRL will be issued. A CRL
is considered valid until that date.
> I had revoked a few road-warrior certificates and put a new CRL on
> my web server within this grace period, but strongswan refused to
> check the URL for an update, as Apache's access.log shows.
strongSwan only checks the URL if no valid CRL is found locally.
Either manually installed or cached (in-memory and, if charon.cache_crls
and/or cachecrls in config setup is enabled, on disk).
> Even on
> "ipsec rereadcrls" the new CRL was ignored.
This reads CRLs from /etc/ipsec.d/crls, nothing else. To flush the
in-memory cache use `ipsec purgecrls` (CRLs cached on disk have to be
deleted manually from the directory above, note that that requires a
restart).
> And a related question: Do I have to assume that all road-warrior
> certificates become unusable, if the CRL mentioned in the certificates
> expires?
Only if strictcrlpolicy is enabled (revocation in swanctl.conf).
Regards,
Tobias
More information about the Users
mailing list