TL,DR: How does strongswan handle renewed or expired CRLs? Platform: 5.9.4 on Debian 11. Private CA. CRL distributed via http.
Hi folks, Apparently certificate revocation lists have an expiration date. AFAIU this is the maximum time a CRL should be cached. I had revoked a few road-warrior certificates and put a new CRL on my web server within this grace period, but strongswan refused to check the URL for an update, as Apache's access.log shows. Even on "ipsec rereadcrls" the new CRL was ignored. I had to restart strongswan to make it use the new CRL. Is this as expected? And a related question: Do I have to assume that all road-warrior certificates become unusable, if the CRL mentioned in the certificates expires? Regards Harri
