Hi, crlcheckinterval is not needed anymore because charon has several worker threads. If a certificate has to be checked for revocation, the thread responsible for a given IKE connection just blocks the current IKE processing and fetches a fresh CRL via http: or ldap: if necessary. After the file has been downloaded which can take a couple of seconds but usually does not cause a retransmission by the peer, the IKE processing for the given connection is resumed.
Pluto only had a single worker thread for all IKE connections plus a second thread for CRL fetching. Therefore pro-active CRL fetching using the crlcheckinterval had to be implemented. Regards Andreas On 02/09/2013 12:41 AM, kgardenia42 wrote: > Hi, > > I notice that crlcheckinterval is not included in strongswan 5.x. Is > this just a case of it not having been implemented yet or has the > feature been deliberately removed? > > If the latter then what is the expected way to "poll" a crluri to > check for modifications? I know about OCSP but the realtime check is > too expensive in my situation so the static file with periodic check > is ideal. > > I suppose I could replicate my own version home-grown of > "crlcheckinterval" by having a cron/agent do an If-Modified-Since > check on the CRL URL every so often and somehow tell charon to re-read > the list if it is modified. But that is extra moving parts I'd > ideally like to avoid. > > Alternatively, is there any command-line mechanism to tell charon to > re-read the crluri? If that exists then I could just have a cron > which periodically tells charon to re-check it. > > Thanks. ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
