[Openswan Users] crl.pem segfaults Pluto
Warren Hinscliff
warren at central-data.net
Tue May 18 16:18:27 CEST 2004
I'm running OpenSwan 2.1.1 on Debian unstable (Kernel 2.4.24). I have
installed the software and can run a connection with shared secrets with
no problems.
I want to use X.509 certificates with Windows clients. I set up a
certificate authority on the OpenSwan server and generated certificates.
However when I put them in place, OpenSwan no longer works - Pluto seg
faults. This happens even if the only connection set to auto-start uses
shared secrets not certificates.
It seems to depend on the /etc/ipsec.d/crls/crl.pem file - if this
exists Pluto dies, apparently at the point when it reads it. Remove this
and it starts OK.
Can anyone point me to what may be the problem?
I see in the list archives what seems to be the same problem in 2.1.0,
but apparently it was to be fixed in 2.1.1, which I'm running.
--------------------
Failure - auth.log (debug=none):
May 18 14:34:49 fcspos ipsec__plutorun: Starting Pluto subsystem...
May 18 14:34:49 fcspos pluto[1982]: Starting Pluto (Openswan Version
2.1.1 X.509-1.4.8 PLUTO_USES_KEYRR)
May 18 14:34:49 fcspos pluto[1982]: including NAT-Traversal patch
(Version 0.6c) [disabled]
May 18 14:34:49 fcspos pluto[1982]: Using KLIPS IPsec interface code
May 18 14:34:49 fcspos pluto[1982]: Changing to directory
'/etc/ipsec.d/cacerts'May 18 14:34:49 fcspos pluto[1982]: loaded
cacert file 'cacert.pem' (1818 bytes)
May 18 14:34:49 fcspos pluto[1982]: Changing to directory
'/etc/ipsec.d/crls'
May 18 14:34:49 fcspos pluto[1982]: loaded crl file 'crl.pem' (751
bytes)
May 18 14:35:01 fcspos ipsec__plutorun: Restarting Pluto subsystem...
May 18 14:35:01 fcspos pluto[2194]: Starting Pluto (Openswan Version
2.1.1 X.509-1.4.8 PLUTO_USES_KEYRR)
--------------------
Failure - auth.log (debug=all):
dies after this:
May 18 14:52:04 fcspos pluto[6889]: Changing to directory
'/etc/ipsec.d/crls'
May 18 14:52:04 fcspos pluto[6889]: loaded crl file 'crl.pem' (751
bytes)
May 18 14:52:04 fcspos pluto[6889]: | file content is not binary ASN.1
May 18 14:52:04 fcspos pluto[6889]: | -----BEGIN X509 CRL-----
May 18 14:52:04 fcspos pluto[6889]: | -----END X509 CRL-----
May 18 14:52:04 fcspos pluto[6889]: | file coded in PEM format
---------------
Failure - Daemon.log:
May 18 14:34:49 fcspos ipsec_setup: ...Openswan IPsec started
May 18 14:34:49 fcspos ipsec__plutorun: /usr/local/lib/ipsec/_plutorun:
line 1:
1982 Segmentation fault /usr/local/libexec/ipsec/pluto --nofork
--secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --debug-none
--uniqueids
May 18 14:34:49 fcspos ipsec__plutorun: whack: is Pluto running?
connect() for
"/var/run/pluto.ctl" failed (111 Connection refused)
May 18 14:34:49 fcspos ipsec__plutorun: ...could not add conn "vodafone"
Success - auth.log
May 18 14:39:13 fcspos ipsec__plutorun: Restarting Pluto subsystem...
May 18 14:39:13 fcspos pluto[6086]: Starting Pluto (Openswan Version
2.1.1 X.509-1.4.8 PLUTO_USES_KEYRR)
May 18 14:39:13 fcspos pluto[6086]: including NAT-Traversal patch
(Version 0.6c) [disabled]
May 18 14:39:13 fcspos pluto[6086]: Using KLIPS IPsec interface code
May 18 14:39:13 fcspos pluto[6086]: Changing to directory
'/etc/ipsec.d/cacerts'May 18 14:39:13 fcspos pluto[6086]: loaded
cacert file 'cacert.pem' (1818 bytes)
May 18 14:39:13 fcspos pluto[6086]: Changing to directory
'/etc/ipsec.d/crls'
May 18 14:39:13 fcspos pluto[6086]: Warning: empty directory
May 18 14:39:14 fcspos pluto[6086]: added connection description
"vodafone"
May 18 14:39:14 fcspos pluto[6086]: added connection description
"w2ktest"
May 18 14:39:14 fcspos pluto[6086]: listening for IKE messages
More information about the Users
mailing list