LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   crl update is overdue --> What for? in IPSEC (http://www.linuxquestions.org/questions/linux-security-4/crl-update-is-overdue-what-for-in-ipsec-107871/)

cmisip 10-24-2003 12:37 AM

crl update is overdue --> What for? in IPSEC
 
I have freeswan ipsec connecting my laptop to my wired lan (wireless encryption). My logwatch shows crl update is overdue. After some reading, I deduce that:

crl.pem is used for certificate revocation
by default it will expire in 30 days
if it expires, then all certificates issued with the certificate authority are auto revoked unless a new crl.pem is created.

Are the above correct? I am asking because despite the "crl update is overdue" in my logwatch, the laptop can still connect via ipsec freeswan. I am using Freeswan 2.01. Also seem to remember that one of my expired certificates in the past allowed me to connect also.

Thanks for any insight.

stickman 12-01-2003 04:32 PM

Typically the CRL is used to determine whether a cert has been revoked prior to its scheduled expiration date.

cmisip 12-01-2003 08:55 PM

does it actually play a part in certificate revocation? or just gives me information?

Thanks

stickman 12-02-2003 08:58 AM

The CRL is purely informational. How your app reacts when it's out of date is another story.


All times are GMT -5. The time now is 09:33 AM.