[strongSwan] How does strongswan handle renewed or expired CRLs?

Harald Dunkel harald.dunkel at aixigo.com
Fri Apr 8 10:02:02 CEST 2022


Hi Tobias,

On 2022-04-01 12:05:38, Tobias Brunner wrote:
> 
>> Even on
>> "ipsec rereadcrls" the new CRL was ignored.
> 
> This reads CRLs from /etc/ipsec.d/crls, nothing else.  To flush the
> in-memory cache use `ipsec purgecrls` (CRLs cached on disk have to be
> deleted manually from the directory above, note that that requires a
> restart).
> 

this is hard to anticipate. Running rereadcrls, why should I want to
prefer the cached CRLs over the CRLs to be found in the net? To avoid
a DNS lookup and a single web access?

Typically the PKIs create a CRL for lets say 30 days. In case of emergency
a new CRL might be issued on the next day. How is strongswan supposed
to be notified about this emergency? There is no flow of information here.

I would suggest to invest into the web access at least once per day,
regardless when the CRL is supposed to expire. If the remote site is not
reachable, then we can fall back to the cached version.


Just a suggestion, of course. Should I file an enhancement request?


Regards
Harri


More information about the Users mailing list