Hello Stephen,
Thanks again.
I have seen at http://wiki.strongswan.org/projects/strongswan/wiki/Autoconf
that plug-ins are specified at strongSwan binary creation (./configure).
There is any way when strongSwan is load to make the choice of plug-ins to load
(e.g. revocation).
Which is the best strongSwan deployment policy when some runs need the
revocation plug-in and some other runs do not need the plug-in.
Context: Charon under Linux
Best Regards
Mugur
-Original Message-
From: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
Sent: jeudi 24 novembre 2011 12:51
To: ABULIUS, MUGUR (MUGUR)
Cc: users@lists.strongswan.org; SCARAZZINI, FABRICE (FABRICE); Pisano, Stephen
G (Stephen); WASNIEWSKI, ALAIN (ALAIN)
Subject: Re: [strongSwan] How to bypass CRL checks?
Hello Mugur,
with IKEv2 revocation checks can be easily disabled by not loading the
revocation plugin. What is not possible is to disable CRL checking on a per
connection definition basis.
Regards
Andreas
On 11/24/2011 08:50 AM, ABULIUS, MUGUR (MUGUR) wrote:
Hello,
Our understanding in case of setting strictcrlpolicy to **no** for
charon is that strongSwan denies the authentication if the certificate
appears in the fetched CRL. But, if the certificate does not specify
an uri or if the CRL can't be fetched the authentication is not
denied.
Can you please check our understanding?
In case our assumption is correct we are looking for a way to set-up
strongSwan (for some specific run scenarios) to bypass any CRL checks
(even if strictcrlpolicy=no). We are looking for this capability even
if received certificates specify an uri and the corresponding CRL can
be fetched from CDP.
Thank you
Mugur
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications University of Applied
Sciences Rapperswil CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users