Project

General

Profile

Issue #568

CRL

Added by Jim Smith about 8 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Normal
Category:
-
Affected version:
5.1.2
Resolution:
No feedback

Description

Hello, we are currently having problems dynamically updating the CRL list. Once we revoke a cert, is there a way for that change to be immediate? Presently we need to restart IPSEC for the changes to occur.

Thanks for any assistance

History

#1 Updated by Andreas Steffen about 8 years ago

  • Status changed from New to Feedback
  • Assignee set to Andreas Steffen

Hi Jim,

the strongSwan IKE daemon will not try to fetch a fresh CRL before the nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints more quickly then you must either dramatically reduce the lifetime of a CRL e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) which will give you realtime information on the certificate status.

Andreas

#2 Updated by Tobias Brunner about 7 years ago

  • Status changed from Feedback to Closed
  • Resolution set to No feedback

Also available in: Atom PDF