Debian Bug report logs - #241982
racoon: Racoon X509 certs with libssl0.9.7 need an empty CRL setup to work with 'verify_cert: on'

version graph

Package: racoon; Maintainer for racoon is pkg-ipsec-tools team <pkg-ipsec-tools-devel@lists.alioth.debian.org>; Source for racoon is src:ipsec-tools (PTS, buildd, popcon).

Reported by: Matthew Grant <grantma@anathoth.gen.nz>

Date: Sun, 4 Apr 2004 06:33:03 UTC

Severity: normal

Found in version 0.2.4-3

Fixed in versions ipsec-tools/1:0.7.1-1.5, ipsec-tools/1:0.7.1-1.3+lenny2

Done: Stefan Bauer <stefan.bauer@cubewerk.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#241982; Package racoon. (full text, mbox, link).

Acknowledgement sent to Matthew Grant <grantma@anathoth.gen.nz>:
New Bug report received and forwarded. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Matthew Grant <grantma@anathoth.gen.nz>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: racoon: Racoon X509 certs with libssl0.9.7 need an empty CRL setup to work with 'verify_cert: on'
Date: Sun, 04 Apr 2004 18:17:13 +1200
Package: racoon
Version: 0.2.4-3
Severity: normal

Needed to set up CRLs with libssl0.9.7 to get x509 certs to work.

Did not have to do this with libssl0.9.6 on woody.

Racoon failed with log message:

/var/log/daemon.log.0:Apr  3 22:36:15 zion racoon: ERROR:
crypto_openssl.c:348:cb_check_cert(): unable to get certificate CRL(3)
at depth:0 SubjectName:/C=NZ/ST=Wellington
Region/L=Wellington/O=Matthew's UNIX Box/OU=Systems
Administration/CN=donkey.anathoth.gen.nz/emailAddress=grantma@anathoth.gen.nz


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.4-donkey
Locale: LANG=C, LC_CTYPE=C

Versions of packages racoon depends on:
ii  debconf                     1.4.21       Debian configuration management sy
ii  ipsec-tools                 0.2.4-3      IPsec tools for Linux
ii  libc6                       2.3.2.ds1-11 GNU C Library: Shared libraries an

-- debconf information excluded

Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Grant <grantma@anathoth.gen.nz>:
Bug#241982; Package racoon. (full text, mbox, link).

Acknowledgement sent to Anthony Prades <anthony.prades@aliacom.fr>:
Extra info received and forwarded to list. Copy sent to Matthew Grant <grantma@anathoth.gen.nz>. (full text, mbox, link).

Message #10 received at 241982@bugs.debian.org (full text, mbox, reply):

From: Anthony Prades <anthony.prades@aliacom.fr>
To: 241982@bugs.debian.org
Subject: racoon: Racoon X509 certs with libssl0.9.7 need an empty CRL setup to work with 'verify_cert: on'
Date: Thu, 22 Apr 2004 17:16:04 +0200
Hello,

    It's not a bug, just you need to create the CA CRL with :
        'openssl ca -gencrl -out crl.pem'

    Next, you need to put this file in '/etc/racoon/certs/' directory with file
name like '<hash>.r0'

Best regards.

Information forwarded to debian-bugs-dist@lists.debian.org, Ganesan Rajagopal <rganesan@debian.org>:
Bug#241982; Package racoon. (Mon, 22 Feb 2010 15:27:09 GMT) (full text, mbox, link).

Acknowledgement sent to Jan Sievers <sievers@zedat.fu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Ganesan Rajagopal <rganesan@debian.org>. (Mon, 22 Feb 2010 15:27:10 GMT) (full text, mbox, link).

Message #15 received at 241982@bugs.debian.org (full text, mbox, reply):

From: Jan Sievers <sievers@zedat.fu-berlin.de>
To: Debian Bug Tracking System <241982@bugs.debian.org>
Subject: racoon: Can we close this bug?
Date: Mon, 22 Feb 2010 16:26:34 +0100
Package: racoon
Followup-For: Bug #241982

With current versions of racoon it does *not fail*, but prints a warning
such as:

    Feb 22 15:49:25 1e:example_host racoon: WARNING: unable to get
    certificate CRL(3) at depth:2
    SubjectName:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01

As stated earlier in message #10 you can calm down racoon by providing
the CRLs and adding links in the certs directory, e.g. '/etc/racoon/certs/':

    ln -s CA-CRL.pem `openssl crl -noout -hash < CA-CRL.pem`.r0

I think we can close this bug as *fixed*.

Best regards,
Jan

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages racoon depends on:
ii  debconf [debcon 1.5.24                   Debian configuration management sy
ii  ipsec-tools     1:0.7.1-1.3+lenny2       IPsec tools for Linux
ii  libc6           2.7-18lenny2             GNU C Library: Shared libraries
ii  libcomerr2      1.41.3-1                 common error description library
ii  libkrb53        1.6.dfsg.4~beta1-5lenny2 MIT Kerberos runtime libraries
ii  libpam0g        1.0.1-5+lenny1           Pluggable Authentication Modules l
ii  libssl0.9.8     0.9.8g-15+lenny6         SSL shared libraries
ii  perl            5.10.0-19lenny2          Larry Wall's Practical Extraction 

racoon recommends no packages.

racoon suggests no packages.

-- debconf information excluded

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#241982; Package racoon. (Wed, 24 Feb 2010 11:03:06 GMT) (full text, mbox, link).

Acknowledgement sent to Stefan Bauer <stefan.bauer@cubewerk.de>:
Extra info received and forwarded to list. (Wed, 24 Feb 2010 11:03:06 GMT) (full text, mbox, link).

Message #20 received at 241982@bugs.debian.org (full text, mbox, reply):

From: Stefan Bauer <stefan.bauer@cubewerk.de>
To: 241982@bugs.debian.org, control@bugs.debian.org
Subject: acoon: Racoon X509 certs with libssl0.9.7 need an empty CRL setup to work with 'verify_cert: on'
Date: Wed, 24 Feb 2010 11:56:57 +0100
fixed 241982 1:0.7.1-1.3+lenny2
close 241982
thanks

Hi Jan,

thanks for your reply.

Stefan
-- 
Stefan Bauer -----------------------------------------
PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34
-------- plzk.de - Linux - because it works ----------

Bug Marked as fixed in versions ipsec-tools/1:0.7.1-1.3+lenny2. Request was from Stefan Bauer <stefan.bauer@cubewerk.de> to control@bugs.debian.org. (Wed, 24 Feb 2010 11:03:16 GMT) (full text, mbox, link).

Bug closed, send any further explanations to Matthew Grant <grantma@anathoth.gen.nz> Request was from Stefan Bauer <stefan.bauer@cubewerk.de> to control@bugs.debian.org. (Wed, 24 Feb 2010 11:03:17 GMT) (full text, mbox, link).

Marked as fixed in versions ipsec-tools/1:0.7.1-1.5. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Fri, 01 Nov 2013 01:21:15 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 29 Nov 2013 07:46:32 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Oct 11 00:24:05 2017; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.