[strongSwan] Strongswan caching CRL's when setting is set to "no"

Tobias Brunner tobias at strongswan.org
Wed Jun 1 16:43:13 CEST 2022


Hi Eric,

> 16[IKE] received end entity cert "CN=pfsense.semperen.net 
> <http://pfsense.semperen.net>, C=US, ST=OH, L=Van Wert, O=The Semperen 
> Group, OU=Network Operations"
> 16[CFG]   using certificate "CN=pfsense.semperen.net 
> <http://pfsense.semperen.net>, C=US, ST=OH, L=Van Wert, O=The Semperen 
> Group, OU=Network Operations"
> 16[CFG]   using trusted ca certificate "CN=semperen-ipsec-ca, C=US, 
> ST=OH, L=Van Wert, O=The Semperen Group, OU=Network Operations"
> 16[CFG] checking certificate status of "CN=pfsense.semperen.net 
> <http://pfsense.semperen.net>, C=US, ST=OH, L=Van Wert, O=The Semperen 
> Group, OU=Network Operations"
>  >>>>> 16[CFG]   fetching crl from 
> 'https://ipsec-crl.s3.us-east-2.amazonaws.com/Semperen%2BIPSec%2BSigning%2BAuthority%2BCRL.crl 
> <https://ipsec-crl.s3.us-east-2.amazonaws.com/Semperen%2BIPSec%2BSigning%2BAuthority%2BCRL.crl>' 
> … <<<<
> 16[CFG]   using trusted certificate "CN=semperen-ipsec-ca, C=US, ST=OH, 
> L=Van Wert, O=The Semperen Group, OU=Network Operations"
> 16[CFG]   crl correctly signed by "CN=semperen-ipsec-ca, C=US, ST=OH, 
> L=Van Wert, O=The Semperen Group, OU=Network Operations"
> 16[CFG]   crl is valid: until Oct 13 19:33:11 2049
> 16[CFG] certificate status is good
> 16[CFG]   reached self-signed root ca with a path length of 0

This happens on demand when the peer certificate is verified, not when 
the daemon is started.

Regards,
Tobias


More information about the Users mailing list