[Openswan Users] crl.pem segfaults Pluto

Tue May 18 16:18:27 CEST 2004

I'm running OpenSwan 2.1.1 on Debian unstable (Kernel 2.4.24). I have
installed the software and can run a connection with shared secrets with
no problems.

I want to use X.509 certificates with Windows clients. I set up a
certificate authority on the OpenSwan server and generated certificates.
However when I put them in place, OpenSwan no longer works - Pluto seg
faults. This happens even if the only connection set to auto-start uses
shared secrets not certificates.

It seems to depend on the /etc/ipsec.d/crls/crl.pem file - if this
exists Pluto dies, apparently at the point when it reads it. Remove this
and it starts OK.

Can anyone point me to what may be the problem? 

I see in the list archives what seems to be the same problem in 2.1.0,
but apparently it was to be fixed in 2.1.1, which I'm running.

--------------------
Failure - auth.log (debug=none):

May 18 14:34:49 fcspos ipsec__plutorun: Starting Pluto subsystem...
May 18 14:34:49 fcspos pluto[1982]: Starting Pluto (Openswan Version
2.1.1 X.509-1.4.8 PLUTO_USES_KEYRR)
May 18 14:34:49 fcspos pluto[1982]:   including NAT-Traversal patch
(Version 0.6c) [disabled]
May 18 14:34:49 fcspos pluto[1982]: Using KLIPS IPsec interface code
May 18 14:34:49 fcspos pluto[1982]: Changing to directory
'/etc/ipsec.d/cacerts'May 18 14:34:49 fcspos pluto[1982]:   loaded
cacert file 'cacert.pem' (1818 bytes)
May 18 14:34:49 fcspos pluto[1982]: Changing to directory
'/etc/ipsec.d/crls'
May 18 14:34:49 fcspos pluto[1982]:   loaded crl file 'crl.pem' (751
bytes)

May 18 14:35:01 fcspos ipsec__plutorun: Restarting Pluto subsystem...
May 18 14:35:01 fcspos pluto[2194]: Starting Pluto (Openswan Version
2.1.1 X.509-1.4.8 PLUTO_USES_KEYRR)

--------------------
Failure - auth.log (debug=all):

dies after this:

May 18 14:52:04 fcspos pluto[6889]: Changing to directory
'/etc/ipsec.d/crls'
May 18 14:52:04 fcspos pluto[6889]:   loaded crl file 'crl.pem' (751
bytes)
May 18 14:52:04 fcspos pluto[6889]: |   file content is not binary ASN.1
May 18 14:52:04 fcspos pluto[6889]: |   -----BEGIN X509 CRL-----
May 18 14:52:04 fcspos pluto[6889]: |   -----END X509 CRL-----
May 18 14:52:04 fcspos pluto[6889]: |   file coded in PEM format

---------------

Failure - Daemon.log:

May 18 14:34:49 fcspos ipsec_setup: ...Openswan IPsec started
May 18 14:34:49 fcspos ipsec__plutorun: /usr/local/lib/ipsec/_plutorun:
line 1:
 1982 Segmentation fault      /usr/local/libexec/ipsec/pluto --nofork
--secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --debug-none
--uniqueids
May 18 14:34:49 fcspos ipsec__plutorun: whack: is Pluto running? 
connect() for
"/var/run/pluto.ctl" failed (111 Connection refused)
May 18 14:34:49 fcspos ipsec__plutorun: ...could not add conn "vodafone"

Success - auth.log

May 18 14:39:13 fcspos ipsec__plutorun: Restarting Pluto subsystem...
May 18 14:39:13 fcspos pluto[6086]: Starting Pluto (Openswan Version
2.1.1 X.509-1.4.8 PLUTO_USES_KEYRR)
May 18 14:39:13 fcspos pluto[6086]:   including NAT-Traversal patch
(Version 0.6c) [disabled]
May 18 14:39:13 fcspos pluto[6086]: Using KLIPS IPsec interface code
May 18 14:39:13 fcspos pluto[6086]: Changing to directory
'/etc/ipsec.d/cacerts'May 18 14:39:13 fcspos pluto[6086]:   loaded
cacert file 'cacert.pem' (1818 bytes)
May 18 14:39:13 fcspos pluto[6086]: Changing to directory
'/etc/ipsec.d/crls'
May 18 14:39:13 fcspos pluto[6086]:   Warning: empty directory
May 18 14:39:14 fcspos pluto[6086]: added connection description
"vodafone"
May 18 14:39:14 fcspos pluto[6086]: added connection description
"w2ktest"
May 18 14:39:14 fcspos pluto[6086]: listening for IKE messages