Hi Emeric, > The problem is that our custom authorize hook is called (whith final = FALSE) > even if the CRL is expired:
Yes, it's called after each authentication round and before the constraints check that rejects the SA due to the missing CRL validation. That may allow listeners to modify the current auth_cfg and add or override certain things before the constraints checks. > As a workaround, how could we check the CRL validation status in our custom > plugin during the authorize hook? You can get the current remote auth_cfg from the IKE_SA and look if you have any RULE_CRL_VALIDATION and if so what value it has. Regards, Tobias
