[strongSwan] Strongswan caching CRL's when setting is set to "no"
Eric Germann
ekgermann at semperen.com
Thu Jun 2 21:39:03 CEST 2022
> On Jun 2, 2022, at 3:50 AM, Tobias Brunner <tobias at strongswan.org> wrote:
>
> Hi Eric,
>
>> Does "<conn>.reauth_time” and leaving “break_before_make” alone force a reauth and certificate validity check on IKE/ISAKMP from non-cached crl’s?
>
> Could you please clarify your question (e.g. why do you mention break_before_make in this context?
make_before_break defaults to no. 1) no interruptions in link 2) impact on CRL test
> what do you mean with "from non-cached CRLs”?
This was testing to see if it would pull the CRL on each wreath. In my mind, if the CRL is hosted and changes and the CRL is never reloaded from its source, a revoked certificate can be used up until a start/restart occurs
> are you considering setting reath_time on the client or the server -
Yes. No effect on reload CRL
> and with what type of authentication/config?
Certs for auth
> why do you mention ISAKMP, are you actually considering using IKEv1?).
Not considering IKEv1
Looks like if the server cert is revoked, I will need to reach out to all spoke instances to bounce so they’ll find out it’s revoked.
>
> Regards,
> Tobias
More information about the Users
mailing list