[strongSwan] CRL check: how to fail over to local CRL if fetch fails

Tobias Brunner tobias at strongswan.org
Mon Apr 24 10:28:48 CEST 2017

Hi Zach,

> I do wish I could figure out the file:/// problem though.
> /usr/bin/curl has no problem fetching the CRL via the file URI, so I
> don't suspect libcurl is the problem. Besides it's a default Debian
> installation. Debian's libcurl should be pretty typical. Is there a
> way to coax more information out of the logs about why the fetch is
> failing?

It's caused by a too strict result code check that was added with 5.2.0
and was fixed with 5.3.4, see [1].

> After seeing:
> 09[LIB]   sending http request to 'file:///...'
> All I see is "crl fetching failed."
> The http request to file:// seems weird, though.

That's just the log message, the 'http' part was removed with the fix
for the issue above.


[1] https://wiki.strongswan.org/issues/1203

More information about the Users mailing list