On closer inspection I see that the crl has been successfully fetched but that the information is stale:
: fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ... : crl from May 21 08:12:40 2010 is not newer - existing crl from May 21 08:12:40 2010 retained pluto then probably tries to evaluate a CRL distribution point (CDP) extracted from the certificate : fetching crl from 'VPNCA-crl.pem' ... : unable to fetch from VPNCA-crl.pem, no capable fetcher found Since 'VPNCA-crl.pem' is not a valid absolute URI the error : unable to fetch from VPNCA-crl.pem, no capable fetcher found is returned. Currently strongSwan supports only CDPs of the form http://<server>/<path>/<crl file> but no relative CDPs of the form <crl file> where the location is defined in a separate AuthorityInfoAccess certificate extension. If you would like to have this feature supported in a future strongSwan release, please send me your certificate so that I can analyze it. Regards Andreas On 24.06.2010 13:07, Claude Tompers wrote:
Yes, make clean has been executed before recompiling, Explicitly loading the curl module did not help either : Jun 24 13:05:18 vpn6-test pluto[28289]: loaded plugins: curl aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem hmac gmp attr ... Jun 24 13:05:46 vpn6-test pluto[28289]: fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ... Jun 24 13:05:46 vpn6-test pluto[28289]: crl from May 21 08:12:40 2010 is not newer - existing crl from May 21 08:12:40 2010 retained Jun 24 13:05:46 vpn6-test pluto[28289]: fetching crl from 'VPNCA-crl.pem' ... Jun 24 13:05:46 vpn6-test pluto[28289]: unable to fetch from VPNCA-crl.pem, no capable fetcher found Jun 24 13:05:46 vpn6-test pluto[28289]: crl fetching failed Jun 24 13:05:46 vpn6-test pluto[28289]: "cisco-vpn"[1] 192.168.1.180:59907 #1: X.509 certificate rejected regards, Claude On Thursday 24 June 2010 12:58:17 Andreas Steffen wrote:Here a follow up comment: If you are *not* using an explicit pluto.load statement then do not forget to execute make clean before recompiling strongSwan with --enable-curl, since otherwise the default pluto plugin load list will not be updated. Andreas On 24.06.2010 12:54, Andreas Steffen wrote:Hi Claude, if you are using an explicit pluto.load statement in strongswan.conf then you must add curl to the plugin list. Andreas On 24.06.2010 12:52, Claude Tompers wrote:Thanks for your fast answer. I did recompile, the error message is now slightly different, but the outcome is the same. :( Jun 24 12:47:48 vpn6-test pluto[1705]: fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ... Jun 24 12:47:48 vpn6-test pluto[1705]: crl from May 21 08:12:40 2010 is not newer - existing crl from May 21 08:12:40 2010 retained Jun 24 12:47:48 vpn6-test pluto[1705]: fetching crl from 'VPNCA-crl.pem' ... Jun 24 12:47:48 vpn6-test pluto[1705]: unable to fetch from VPNCA-crl.pem, no capable fetcher found Jun 24 12:47:48 vpn6-test pluto[1705]: crl fetching failed Jun 24 12:47:48 vpn6-test pluto[1705]: "cisco-vpn"[1] 192.168.1.180:64053 #1: X.509 certificate rejected regards, Claude On Thursday 24 June 2010 11:59:03 Andreas Steffen wrote:Hmmm, its seems that the curl plugin is required to refetch CRLs from the local file system. Compile strongSwan with ./configure --enable-curl Regards Andreas On 24.06.2010 11:51, Claude Tompers wrote:Hello, My strongswan server is unable to refetch crls. When the server starts, it reads the crl correctly, but if a client tries to connect, the refetch fails and so the connection fails. Here's the log : Jun 24 11:46:46 vpn6-test pluto[13321]: fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ... Jun 24 11:46:46 vpn6-test pluto[13321]: unable to fetch from file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem, no capable fetcher found Jun 24 11:46:46 vpn6-test pluto[13321]: crl fetching failed Jun 24 11:46:46 vpn6-test pluto[13321]: fetching crl from 'VPNCA-crl.pem' ... Jun 24 11:46:46 vpn6-test pluto[13321]: unable to fetch from VPNCA-crl.pem, no capable fetcher found Jun 24 11:46:46 vpn6-test pluto[13321]: crl fetching failed Jun 24 11:46:46 vpn6-test pluto[13321]: "cisco-vpn"[1] 192.168.1.180:59262 #1: X.509 certificate rejected The permissions on the crl are : -rw------- 1 root root 1064 May 21 08:13 /usr/local/etc/ipsec.d/crls/VPNCA-crl.pem Any ideas ? thanks very much Claude====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
-- ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
