Hi Harri,
Apparently certificate revocation lists have an expiration date. AFAIU this is the maximum time a CRL should be cached.
Technically, it's the date by which the next CRL will be issued. A CRL is considered valid until that date.
I had revoked a few road-warrior certificates and put a new CRL on my web server within this grace period, but strongswan refused to check the URL for an update, as Apache's access.log shows.
strongSwan only checks the URL if no valid CRL is found locally. Either manually installed or cached (in-memory and, if charon.cache_crls and/or cachecrls in config setup is enabled, on disk).
Even on "ipsec rereadcrls" the new CRL was ignored.
This reads CRLs from /etc/ipsec.d/crls, nothing else. To flush the in-memory cache use `ipsec purgecrls` (CRLs cached on disk have to be deleted manually from the directory above, note that that requires a restart).
And a related question: Do I have to assume that all road-warrior certificates become unusable, if the CRL mentioned in the certificates expires?
Only if strictcrlpolicy is enabled (revocation in swanctl.conf). Regards, Tobias
