[strongSwan] Strongswan caching CRL's when setting is set to "no"

Eric K Germann ekgermann at semperen.com
Tue May 31 19:09:23 CEST 2022

I would concur with Harri's point of adding an option to periodically 
reread the CRL's from whatever source they came from.

What's the point of SS having an option to auto fetch a CRL at startup 
but then either having to create an outside-SS workflow to update it or 
do it by hand?  If you do it by hand you might as do the init by hand 

On 2022-05-30 06:02, Tobias Brunner wrote:

> Hi Eric,
>> When IKE reauthenticates the log says it is loading crl from the 
>> directory (which has nothing in it).
> What exactly are you referring to here?  Logs?
>> Also forcing "rereadcrls" doesn't cause a new fetch.  "files" and 
>> "curl" plugins are loaded.
> If there is a cached CRL (note that `cachecrls` refers to caching CRLs 
> persistently in /etc/ipsec.d/crls, not the in-memory cache) that's 
> still valid, there won't be a new fetch.  And the `rereadcrls` command 
> has no effect on this as it only triggers a reload of CRLs from 
> /etc/ipsec.d/crls, it does not purge any in-memory caches (try 
> `purgecrls` for that).  Also see this thread [1 [1]].
> Regards,
> Tobias
> [1] https://lists.strongswan.org/pipermail/users/2022-April/015291.html

[1] https://lists.strongswan.org/pipermail/users/2022-April/015291.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220531/4a94cf24/attachment.html>

More information about the Users mailing list