[strongSwan] Strongswan caching CRL's when setting is set to "no"

Tobias Brunner tobias at strongswan.org
Mon May 30 12:02:53 CEST 2022

Hi Eric,

>   When IKE reauthenticates the log says it is loading crl from the 
> directory (which has nothing in it).

What exactly are you referring to here?  Logs?

> Also forcing “rereadcrls” doesn’t 
> cause a new fetch.  “files” and “curl” plugins are loaded.

If there is a cached CRL (note that `cachecrls` refers to caching CRLs 
persistently in /etc/ipsec.d/crls, not the in-memory cache) that's still 
valid, there won't be a new fetch.  And the `rereadcrls` command has no 
effect on this as it only triggers a reload of CRLs from 
/etc/ipsec.d/crls, it does not purge any in-memory caches (try 
`purgecrls` for that).  Also see this thread [1].


[1] https://lists.strongswan.org/pipermail/users/2022-April/015291.html

More information about the Users mailing list