[strongSwan] No capable fetcher found

Andreas Steffen andreas.steffen at strongswan.org
Thu Jun 24 13:19:30 CEST 2010


On closer inspection I see that the crl has been successfully
fetched but that the information is stale:

: fetching crl from
   'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ...
: crl from May 21 08:12:40 2010 is not newer - existing crl from
   May 21 08:12:40 2010 retained

pluto then probably tries to evaluate a CRL distribution point (CDP)
extracted from the certificate

: fetching crl from 'VPNCA-crl.pem' ...
: unable to fetch from VPNCA-crl.pem, no capable fetcher found

Since 'VPNCA-crl.pem' is not a valid absolute URI the error

: unable to fetch from VPNCA-crl.pem, no capable fetcher found

is returned. Currently strongSwan supports only CDPs of
the form http://<server>/<path>/<crl file>

but no relative CDPs of the form <crl file> where the location
is defined in a separate AuthorityInfoAccess certificate extension.
If you would like to have this feature supported in a future
strongSwan release, please send me your certificate so that
I can analyze it.

Regards

Andreas

On 24.06.2010 13:07, Claude Tompers wrote:
> Yes, make clean has been executed before recompiling,
>
> Explicitly loading the curl module did not help either :
>
> Jun 24 13:05:18 vpn6-test pluto[28289]: loaded plugins: curl aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem hmac gmp attr
> ...
> Jun 24 13:05:46 vpn6-test pluto[28289]:   fetching crl from 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ...
> Jun 24 13:05:46 vpn6-test pluto[28289]:   crl from May 21 08:12:40 2010 is not newer - existing crl from May 21 08:12:40 2010 retained
> Jun 24 13:05:46 vpn6-test pluto[28289]:   fetching crl from 'VPNCA-crl.pem' ...
> Jun 24 13:05:46 vpn6-test pluto[28289]: unable to fetch from VPNCA-crl.pem, no capable fetcher found
> Jun 24 13:05:46 vpn6-test pluto[28289]: crl fetching failed
> Jun 24 13:05:46 vpn6-test pluto[28289]: "cisco-vpn"[1] 192.168.1.180:59907 #1: X.509 certificate rejected
>
> regards,
> Claude
>
>
> On Thursday 24 June 2010 12:58:17 Andreas Steffen wrote:
>> Here a follow up comment:
>>
>> If you are *not* using an explicit pluto.load statement then
>> do not forget to execute
>>
>>     make clean
>>
>> before recompiling strongSwan with --enable-curl, since otherwise
>> the default pluto plugin load list will not be updated.
>>
>> Andreas
>>
>> On 24.06.2010 12:54, Andreas Steffen wrote:
>>> Hi Claude,
>>>
>>> if you are using an explicit pluto.load statement in strongswan.conf
>>> then you must add curl to the plugin list.
>>>
>>> Andreas
>>>
>>> On 24.06.2010 12:52, Claude Tompers wrote:
>>>> Thanks for your fast answer.
>>>>
>>>> I did recompile, the error message is now slightly different, but the
>>>> outcome is the same. :(
>>>>
>>>> Jun 24 12:47:48 vpn6-test pluto[1705]: fetching crl from
>>>> 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ...
>>>> Jun 24 12:47:48 vpn6-test pluto[1705]: crl from May 21 08:12:40 2010
>>>> is not newer - existing crl from May 21 08:12:40 2010 retained
>>>> Jun 24 12:47:48 vpn6-test pluto[1705]: fetching crl from
>>>> 'VPNCA-crl.pem' ...
>>>> Jun 24 12:47:48 vpn6-test pluto[1705]: unable to fetch from
>>>> VPNCA-crl.pem, no capable fetcher found
>>>> Jun 24 12:47:48 vpn6-test pluto[1705]: crl fetching failed
>>>> Jun 24 12:47:48 vpn6-test pluto[1705]: "cisco-vpn"[1]
>>>> 192.168.1.180:64053 #1: X.509 certificate rejected
>>>>
>>>> regards,
>>>> Claude
>>>>
>>>> On Thursday 24 June 2010 11:59:03 Andreas Steffen wrote:
>>>>> Hmmm, its seems that the curl plugin is required to
>>>>> refetch CRLs from the local file system. Compile
>>>>> strongSwan with
>>>>>
>>>>> ./configure --enable-curl
>>>>>
>>>>> Regards
>>>>>
>>>>> Andreas
>>>>>
>>>>> On 24.06.2010 11:51, Claude Tompers wrote:
>>>>>> Hello,
>>>>>>
>>>>>> My strongswan server is unable to refetch crls.
>>>>>> When the server starts, it reads the crl correctly, but if a client
>>>>>> tries to connect, the refetch fails and so the connection fails.
>>>>>>
>>>>>> Here's the log :
>>>>>>
>>>>>> Jun 24 11:46:46 vpn6-test pluto[13321]: fetching crl from
>>>>>> 'file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem' ...
>>>>>> Jun 24 11:46:46 vpn6-test pluto[13321]: unable to fetch from
>>>>>> file:///usr/local/etc/ipsec.d/crls/VPNCA-crl.pem, no capable fetcher
>>>>>> found
>>>>>> Jun 24 11:46:46 vpn6-test pluto[13321]: crl fetching failed
>>>>>> Jun 24 11:46:46 vpn6-test pluto[13321]: fetching crl from
>>>>>> 'VPNCA-crl.pem' ...
>>>>>> Jun 24 11:46:46 vpn6-test pluto[13321]: unable to fetch from
>>>>>> VPNCA-crl.pem, no capable fetcher found
>>>>>> Jun 24 11:46:46 vpn6-test pluto[13321]: crl fetching failed
>>>>>> Jun 24 11:46:46 vpn6-test pluto[13321]: "cisco-vpn"[1]
>>>>>> 192.168.1.180:59262 #1: X.509 certificate rejected
>>>>>>
>>>>>> The permissions on the crl are :
>>>>>> -rw------- 1 root root 1064 May 21 08:13
>>>>>> /usr/local/etc/ipsec.d/crls/VPNCA-crl.pem
>>>>>>
>>>>>> Any ideas ?
>>>>>>
>>>>>> thanks very much
>>>>>> Claude
>>>
>>> ======================================================================
>>> Andreas Steffen andreas.steffen at strongswan.org
>>> strongSwan - the Linux VPN Solution! www.strongswan.org
>>> Institute for Internet Technologies and Applications
>>> University of Applied Sciences Rapperswil
>>> CH-8640 Rapperswil (Switzerland)
>>> ===========================================================[ITA-HSR]==
>>>
>>
>>
>>
>


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100624/3a28936c/attachment.bin>


More information about the Users mailing list