Hi Mugur, > > Can you please confirm that Charon supports multiple > distributionPoints (rfc5280) inside cRLDistributionPoints extension > (therefore multiple HTTP URI for CRL files) ?
Yes, this is supported. > If yes, then how Charon retrieves CRLs from these DPs function of > strictcrlpolicy and function of the CRL files availability? If no valid CRL information is available locally from the cache, charon fetches CRLs from these URIs until it finds a valid up-to-date CRL. This happens independently of any strictcrlpolicy setting. If strictcrlpolicy is "yes" or "ifuri", the certificate is rejected if fetching from all of the contained URIs did not yield a valid up-to-date CRL. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
