Alternatively, is there a way to just ignore embedded CRL distribution points, and always use the local CRL?
On Wed, Apr 19, 2017 at 10:49 AM, Zach Cutlip <[email protected]> wrote: > Is there a way to make CRL verification fail over to a local CRL if > fetching fails? > > My client certificates are configured with an embedded CRL URL. I'm > finding that if charon is unable to fetch the CRL from the url > provided by the cert for some reason, CRL checking fails and > authentication continues. I've provided a local copy of the CRL in > /etc/ipsec.d, but it seems to never get checked. > > I've verified the local CRL has been loaded; both from syslog entries > when the strongswan service is is started, and from 'ipsec listcrls'. > > Thanks, > Zach _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
