Hello ? then what is Andreas referencing, below is the issue reported https://wiki.strongswan.org/issues/568
Hi Jim, the strongSwan IKE daemon will not try to fetch a fresh CRL before the nextUpdate time in the CRL has passed. If you want to revoke IPsec endpoints more quickly then you must either dramatically reduce the lifetime of a CRL e.g. down to an hour or use the Online Certificate Status Protocol (OCSP) which will give you realtime information on the certificate status. Andreas -----Original Message----- From: Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> Sent: Wednesday, November 06, 2019 1:27 PM To: Modster, Anthony <anthony.mods...@teledyne.com>; users@lists.strongswan.org Subject: Re: [strongSwan] OCSP update dime Hello, The request doesn't really make sense. There's no OCSP nextUpdate time, that's part of a CRL. Kind regards Noel Am 06.11.19 um 00:03 schrieb Modster, Anthony: > Hello > > > > ? what is the nextUpdate time > > ? is it configurable > > > > https://wiki.strongswan.org/issues/568 > > > > Thanks > > >