[strongSwan] Strongswan caching CRL's when setting is set to "no"
Eric K Germann
ekgermann at semperen.com
Tue May 31 19:09:23 CEST 2022
I would concur with Harri's point of adding an option to periodically
reread the CRL's from whatever source they came from.
What's the point of SS having an option to auto fetch a CRL at startup
but then either having to create an outside-SS workflow to update it or
do it by hand? If you do it by hand you might as do the init by hand
also.
On 2022-05-30 06:02, Tobias Brunner wrote:
> Hi Eric,
>
>> When IKE reauthenticates the log says it is loading crl from the
>> directory (which has nothing in it).
>
> What exactly are you referring to here? Logs?
>
>> Also forcing "rereadcrls" doesn't cause a new fetch. "files" and
>> "curl" plugins are loaded.
>
> If there is a cached CRL (note that `cachecrls` refers to caching CRLs
> persistently in /etc/ipsec.d/crls, not the in-memory cache) that's
> still valid, there won't be a new fetch. And the `rereadcrls` command
> has no effect on this as it only triggers a reload of CRLs from
> /etc/ipsec.d/crls, it does not purge any in-memory caches (try
> `purgecrls` for that). Also see this thread [1 [1]].
>
> Regards,
> Tobias
>
> [1] https://lists.strongswan.org/pipermail/users/2022-April/015291.html
Links:
------
[1] https://lists.strongswan.org/pipermail/users/2022-April/015291.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220531/4a94cf24/attachment.html>
More information about the Users
mailing list