Hi Tobais I built a patch with just the change to src/libcharon/plugins/vici/vici_cred.c given in your link https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/vici-load-cert-crl built, installed and run. All good. I loaded the CRLs in the "wrong" order via vici, ran ipsec purgecrls ran my test and its all working fine.
Thanks you for quick and complete response Best regards Mike Cole -----Original Message----- From: Cole, Michael Sent: 10 November 2015 14:34 To: 'Tobias Brunner'; [email protected] Subject: RE: [strongSwan-dev] Handling of CRL updates different between Vici and ipsec rereadcrls Hi Tobias That is excellent, it sounds like exactly what we would like. I'll patch a build and try it. Many thanks Mike -----Original Message----- From: Tobias Brunner [mailto:[email protected]] Sent: 10 November 2015 14:27 To: Cole, Michael; [email protected] Subject: Re: [strongSwan-dev] Handling of CRL updates different between Vici and ipsec rereadcrls Hi Michael, > This works fine usually as strongswan appears to use the last loaded > CRL as the one to check when a new IKE connection is requested. Yes, the code in vici_cred.c is definitely not ideal. It adds a loaded CRL just like a regular certificate to the credential set, which means it just gets added to the front of the list of trusted certificates. Instead, we should call add_crl(), which actually compares the CRL to already loaded ones (in the same credential set) and drops it if it was superseded. I pushed a fix for this to the vici-load-cert-crl branch [1]. Let me know if that works for you. Regards, Tobias [1] https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/vici-load-cert-crl _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
