Hi Michael, > This works fine usually as strongswan appears to use the last loaded CRL > as the one to check when a new IKE connection is requested.
Yes, the code in vici_cred.c is definitely not ideal. It adds a loaded CRL just like a regular certificate to the credential set, which means it just gets added to the front of the list of trusted certificates. Instead, we should call add_crl(), which actually compares the CRL to already loaded ones (in the same credential set) and drops it if it was superseded. I pushed a fix for this to the vici-load-cert-crl branch [1]. Let me know if that works for you. Regards, Tobias [1] https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/vici-load-cert-crl _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
