Re: [strongSwan] charon and CRL loading
Thanks -Original Message- From: Tobias Brunner Sent: Thursday, May 09, 2019 9:26 AM To: Modster, Anthony ; users@lists.strongswan.org Cc: Amare, Mesfin Subject: Re: [strongSwan] charon and CRL loading ---External Email--- Hi Anthony, > If a CRL comes in, then I think we would need to do the following: > 1. create "authorities section" "crl_uirs = fill:///xxx" in > swanctl.conf 2. --load-authorities 3. --load-creds You don't need step 3 if you use file URIs, the CRL is fetched dynamically during authentication (if you update the CRL, while the old one is still valid for a while, you need to flush the cache, as pointed out before). And if you, alternatively, store the CRL in x509crl then you only need step 3 (and, again, perhaps flush the cache). Regards, Tobias
Re: [strongSwan] charon and CRL loading
Hi Anthony, > If a CRL comes in, then I think we would need to do the following: > 1. create "authorities section" "crl_uirs = fill:///xxx" in swanctl.conf > 2. --load-authorities > 3. --load-creds You don't need step 3 if you use file URIs, the CRL is fetched dynamically during authentication (if you update the CRL, while the old one is still valid for a while, you need to flush the cache, as pointed out before). And if you, alternatively, store the CRL in x509crl then you only need step 3 (and, again, perhaps flush the cache). Regards, Tobias
Re: [strongSwan] charon and CRL loading
Tobias Sorry (round 2) Item 2, using "authorities section" "crl_uirs = fill:///xxx" If the host does not have a CRL, then the "authorities section" will not be loaded by our host. If a CRL comes in, then I think we would need to do the following: 1. create "authorities section" "crl_uirs = fill:///xxx" in swanctl.conf 2. --load-authorities 3. --load-creds -Original Message- From: Users On Behalf Of Tobias Brunner Sent: Thursday, May 09, 2019 8:09 AM To: Modster, Anthony ; users@lists.strongswan.org Cc: Amare, Mesfin Subject: Re: [strongSwan] charon and CRL loading ---External Email--- Hi Anthony, > Item 1, if a new CRL is copied to the x509crl directory, "authorities > section" not configured, ? will charon automatically re-load the CRL No, swanctl --load-creds has to be called explicitly. > Item 2, if a new CRL is copied to the "assigned location", and > "authorities section" "crl_uirs = fill:///xxx", ? will charon > automatically re-load the CRL Only if a previously fetched and cached version expired, or the cache has been flushed manually. Regards, Tobias
Re: [strongSwan] charon and CRL loading
Thanks -Original Message- From: Tobias Brunner Sent: Thursday, May 09, 2019 8:32 AM To: Modster, Anthony ; users@lists.strongswan.org Cc: Amare, Mesfin Subject: Re: [strongSwan] charon and CRL loading ---External Email--- Hi Anthony, > ? for the CRL cases below, does the host need to "drop the connection" > for the CRL updates The new CRL will currently only have an effect on new connections. So if the certificate of a peer who currently is connected is revoked, this will not have an effect until that peer re-authenticates (i.e. until it creates a new IKE_SA). Regards, Tobias
Re: [strongSwan] charon and CRL loading
Hi Anthony, > ? for the CRL cases below, does the host need to "drop the connection" for > the CRL updates The new CRL will currently only have an effect on new connections. So if the certificate of a peer who currently is connected is revoked, this will not have an effect until that peer re-authenticates (i.e. until it creates a new IKE_SA). Regards, Tobias
Re: [strongSwan] charon and CRL loading
Tobias Sorry one other question. ? for the CRL cases below, does the host need to "drop the connection" for the CRL updates -Original Message- From: Users On Behalf Of Tobias Brunner Sent: Thursday, May 09, 2019 8:09 AM To: Modster, Anthony ; users@lists.strongswan.org Cc: Amare, Mesfin Subject: Re: [strongSwan] charon and CRL loading ---External Email--- Hi Anthony, > Item 1, if a new CRL is copied to the x509crl directory, "authorities > section" not configured, ? will charon automatically re-load the CRL No, swanctl --load-creds has to be called explicitly. > Item 2, if a new CRL is copied to the "assigned location", and > "authorities section" "crl_uirs = fill:///xxx", ? will charon > automatically re-load the CRL Only if a previously fetched and cached version expired, or the cache has been flushed manually. Regards, Tobias
Re: [strongSwan] charon and CRL loading
Thanks -Original Message- From: Users On Behalf Of Tobias Brunner Sent: Thursday, May 09, 2019 8:09 AM To: Modster, Anthony ; users@lists.strongswan.org Cc: Amare, Mesfin Subject: Re: [strongSwan] charon and CRL loading ---External Email--- Hi Anthony, > Item 1, if a new CRL is copied to the x509crl directory, "authorities > section" not configured, ? will charon automatically re-load the CRL No, swanctl --load-creds has to be called explicitly. > Item 2, if a new CRL is copied to the "assigned location", and > "authorities section" "crl_uirs = fill:///xxx", ? will charon > automatically re-load the CRL Only if a previously fetched and cached version expired, or the cache has been flushed manually. Regards, Tobias
Re: [strongSwan] charon and CRL loading
Hi Anthony, > Item 1, if a new CRL is copied to the x509crl directory, "authorities > section" not configured, ? will charon automatically re-load the CRL No, swanctl --load-creds has to be called explicitly. > Item 2, if a new CRL is copied to the "assigned location", and "authorities > section" "crl_uirs = fill:///xxx", ? will charon automatically re-load the CRL Only if a previously fetched and cached version expired, or the cache has been flushed manually. Regards, Tobias
Re: [strongSwan] charon and CRL loading
Tobias Item 1, if a new CRL is copied to the x509crl directory, "authorities section" not configured, ? will charon automatically re-load the CRL Item 2, if a new CRL is copied to the "assigned location", and "authorities section" "crl_uirs = fill:///xxx", ? will charon automatically re-load the CRL -Original Message- From: Tobias Brunner Sent: Thursday, May 09, 2019 12:59 AM To: Modster, Anthony ; users@lists.strongswan.org Subject: Re: [strongSwan] charon and CRL loading ---External Email--- Hi Anthony, > ? does charon reload the CRL during ( re-authentication and > re-connection ) Not if a valid CRL is still stored in the in-memory cache (which can be cleared via `ipsec purgecrls` or `swanctl --flush-certs -t x509_crl`). > If new CRL’s arrive, ? will charon use them during ( re-authentication > and re-connection ). Arrive how? Regards, Tobias
Re: [strongSwan] charon and CRL loading
Hi Anthony, > ? does charon reload the CRL during ( re-authentication and re-connection ) Not if a valid CRL is still stored in the in-memory cache (which can be cleared via `ipsec purgecrls` or `swanctl --flush-certs -t x509_crl`). > If new CRL’s arrive, ? will charon use them during ( re-authentication > and re-connection ). Arrive how? Regards, Tobias
