OpenSwan cannot be configured to immediately check certificates against newly retrieved CRLs

Solution Verified - Updated -

Issue

  • Please let us know Red Hat plans on supporting the following features in OpenSwan anytime soon, please?

    1. OpenSwan cannot be configured to immediately check certificates against newly retrieved CRLs.
      Currently, revoked certificates become inactive only after rekey interval. This behaviour is hard coded and cannot be configured. It should be possible to configure OpenSwan to immediately check all certificates when a new CRL is retrieved.

    2. OpenSwan cannot be configured to immediately tear down all connections if it finds certificates are revoked in CRL.Currently, connections are torn down only after rekey interval. This behaviour is also hard coded. It should be possible to configure OpenSwan to immediately tear down all related connections when a certificate is revoked.

Environment

  • Red Hat Enterprise Linux 5, 6
  • OpenSwan

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.