X509 CA store is not purged during 'ipsec rereadcacerts'
Steps to reproduce:
1. Have 2 IPsec clients (A,B) configured to use own certificate, signed by different CA
2. Have this 2 CA in cacerts folder
3. Establish IPsec connection in roadwarrior scenario from client A
4. Remove CA that is used by client B from cacerts folder
5. Call 'ipsec rereadcacerts'
6. Try to connect client B
- It doesn't work, since his certificate is no longer trusted
- It works
- ipsec listcacerts still shows removed CA in the list
I don't want to stop and start ipsec, since I don't want to lose established connections (client A, other tunnels)
#5 Updated by Martin Willi over 5 years ago
- Category changed from configuration to libcharon
- Assignee changed from Andreas Steffen to Martin Willi
- Target version set to 5.3.0
- Resolution set to Fixed
With the referenced merge, "ipsec reread" removes any previously loaded CA certificates before reloading them from disk. I think this behavior is closer to what a user expects; closing the issue.