Issue #568: CRL - strongSwan

Issue #568

CRL

Added by Jim Smith almost 6 years ago. Updated over 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Andreas Steffen

Category:

Affected version:

5.1.2

Resolution:

No feedback

Description

Hello, we are currently having problems dynamically updating the CRL list. Once we revoke a cert, is there a way for that change to be immediate? Presently we need to restart IPSEC for the changes to occur.

Thanks for any assistance

History

#1 Updated by Andreas Steffen almost 6 years ago

Status changed from New to Feedback
Assignee set to Andreas Steffen

Hi Jim,

the strongSwan IKE daemon will not try to fetch a fresh CRL before the nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints more quickly then you must either dramatically reduce the lifetime of a CRL e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) which will give you realtime information on the certificate status.

Andreas

#2 Updated by Tobias Brunner over 4 years ago

Status changed from Feedback to Closed
Resolution set to No feedback

Also available in: Atom PDF

Project

General

Profile

strongSwan

Issues

New issues

Issue #568

CRL

History

#1 Updated by Andreas Steffen almost 6 years ago

#2 Updated by Tobias Brunner over 4 years ago