[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] Strongswan caching CRL's when setting is set to "no"
From: Eric K Germann <ekgermann () semperen ! com>
Date: 2022-05-31 17:09:23
Message-ID: sig.21509a6de6.2f9b5af34356e9fea62d7830f89b2d21 () semperen ! com
[Download RAW message or body]
I would concur with Harri's point of adding an option to periodically
reread the CRL's from whatever source they came from.
What's the point of SS having an option to auto fetch a CRL at startup
but then either having to create an outside-SS workflow to update it or
do it by hand? If you do it by hand you might as do the init by hand
also.
On 2022-05-30 06:02, Tobias Brunner wrote:
> Hi Eric,
>
>> When IKE reauthenticates the log says it is loading crl from the
>> directory (which has nothing in it).
>
> What exactly are you referring to here? Logs?
>
>> Also forcing "rereadcrls" doesn't cause a new fetch. "files" and
>> "curl" plugins are loaded.
>
> If there is a cached CRL (note that `cachecrls` refers to caching CRLs
> persistently in /etc/ipsec.d/crls, not the in-memory cache) that's
> still valid, there won't be a new fetch. And the `rereadcrls` command
> has no effect on this as it only triggers a reload of CRLs from
> /etc/ipsec.d/crls, it does not purge any in-memory caches (try
> `purgecrls` for that). Also see this thread [1 [1]].
>
> Regards,
> Tobias
>
> [1] https://lists.strongswan.org/pipermail/users/2022-April/015291.html
Links:
------
[1] https://lists.strongswan.org/pipermail/users/2022-April/015291.html
[Attachment #3 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" \
/></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'> <p>I \
would concur with Harri's point of adding an option to periodically reread the CRL's \
from whatever source they came from.</p> <p>What's the point of SS having an option \
to auto fetch a CRL at startup but then either having to create an outside-SS \
workflow to update it or do it by hand? If you do it by hand you might as do \
the init by hand also.</p> <p id="reply-intro">On 2022-05-30 06:02, Tobias Brunner \
wrote:</p> <blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px \
solid; margin: 0"> <div class="pre" style="margin: 0; padding: 0; font-family: \
monospace"><span style="white-space: nowrap;">Hi Eric,</span><br /><br /> \
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; \
margin: 0"> When IKE reauthenticates the log says it is loading crl from \
the directory (which has nothing in it).</blockquote> <br /><span style="white-space: \
nowrap;">What exactly are you referring to here? Logs?</span><br \
/><br /> <blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px \
solid; margin: 0"> Also forcing “rereadcrls” doesn’t cause a \
new fetch. “files” and “curl” plugins are \
loaded.</blockquote> <br />If there is a cached CRL (note that `cachecrls` refers to \
caching CRLs persistently in /etc/ipsec.d/crls, not the in-memory cache) that's still \
valid, there won't be a new fetch. And the `rereadcrls` command has no effect \
on this as it only triggers a reload of CRLs from /etc/ipsec.d/crls, it does not \
purge any in-memory caches (try `purgecrls` for that). Also see this thread [<a \
href="https://lists.strongswan.org/pipermail/users/2022-April/015291.html" \
target="_blank" rel="noopener noreferrer">1</a>].<br /><br /><span \
style="white-space: nowrap;">Regards,</span><br />Tobias<br /><br /><span \
style="white-space: nowrap;">[1] <a \
href="https://lists.strongswan.org/pipermail/users/2022-April/015291.html" \
target="_blank" rel="noopener \
noreferrer">https://lists.strongswan.org/pipermail/users/2022-April/015291.html</a></span></div>
</blockquote>
</body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic