[strongSwan] Strongswan caching CRL's when setting is set to "no"

Eric Germann ekgermann at semperen.com
Wed Jun 1 19:19:18 CEST 2022


Does "<conn>.reauth_time” and leaving “break_before_make” alone force a reauth and certificate validity check on IKE/ISAKMP from non-cached crl’s?

Apologies for all the questions.

Eric


> On Jun 1, 2022, at 10:43 AM, Tobias Brunner <tobias at strongswan.org> wrote:
> 
> Hi Eric,
> 
>> 16[IKE] received end entity cert "CN=pfsense.semperen.net <http://pfsense.semperen.net>, C=US, ST=OH, L=Van Wert, O=The Semperen Group, OU=Network Operations"
>> 16[CFG]   using certificate "CN=pfsense.semperen.net <http://pfsense.semperen.net>, C=US, ST=OH, L=Van Wert, O=The Semperen Group, OU=Network Operations"
>> 16[CFG]   using trusted ca certificate "CN=semperen-ipsec-ca, C=US, ST=OH, L=Van Wert, O=The Semperen Group, OU=Network Operations"
>> 16[CFG] checking certificate status of "CN=pfsense.semperen.net <http://pfsense.semperen.net>, C=US, ST=OH, L=Van Wert, O=The Semperen Group, OU=Network Operations"
>> >>>>> 16[CFG]   fetching crl from 'https://ipsec-crl.s3.us-east-2.amazonaws.com/Semperen%2BIPSec%2BSigning%2BAuthority%2BCRL.crl <https://ipsec-crl.s3.us-east-2.amazonaws.com/Semperen%2BIPSec%2BSigning%2BAuthority%2BCRL.crl>' … <<<<
>> 16[CFG]   using trusted certificate "CN=semperen-ipsec-ca, C=US, ST=OH, L=Van Wert, O=The Semperen Group, OU=Network Operations"
>> 16[CFG]   crl correctly signed by "CN=semperen-ipsec-ca, C=US, ST=OH, L=Van Wert, O=The Semperen Group, OU=Network Operations"
>> 16[CFG]   crl is valid: until Oct 13 19:33:11 2049
>> 16[CFG] certificate status is good
>> 16[CFG]   reached self-signed root ca with a path length of 0
> 
> This happens on demand when the peer certificate is verified, not when the daemon is started.
> 
> Regards,
> Tobias

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220601/8c23bba8/attachment-0001.html>


More information about the Users mailing list