it doesen't work with this options. without "check_crl = yes" it works fine.
the tls section looks like that:
tls {
private_key_password = ******
private_key_file =
${raddbdir}/certs/[EMAIL PROTECTED]
certificate_file =
${raddbdir}/certs/[EMAIL PROTECTED]
CA_file = ${raddbdir}/certs/WisecCA-crl-cert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
CA_path = /etc/raddb/certs/
check_crl = yes
}
WisecCA-crl-cert.pem:
-----BEGIN CERTIFICATE-----
MIIDqTCCApGgAwIBAgIJALPbGX/dyTiVMA0GCSqGSIb3DQEBBAUAMB8xCzAJBgNV
BAYTAkNIMRAwDgYDVQQDEwdXaXNlY0NBMB4XDTA1MDQwNTE1MjQzMVoXDTE1MDQw
MzE1MjQzMVowHzELMAkGA1UEBhMCQ0gxEDAOBgNVBAMTB1dpc2VjQ0EwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWBbvwVeBJ6pB3Hyhx9jq8akxvpPYN
r80Wsc1bGisDPr057glPlGVH7ecHEZ8lxl5m/Ef21doy5Uzbs7aZr+aAUBbSAMdJ
qC8XqPnU4i8padswgzyhEZ8dPK2udpHSQIgaaNBsj0oEoLIQ75a88L4q1017Jo2N
a3u+ToMvLm9+Ey1eM3pKRf3cOAwhcq0ZDmhQDS379XnYmlsuYOXKosz25hiCyu2U
L7Q4/v/2ni775P41QhSEIF3CLvih8he0KzLvN2xsoLpp3Uvs0uyfb2N+7H+v53tr
uJdSY+LWel7TRF4jI6UzldqjfdHlHQNDq48XXKU/9q5dfJYBuUuPUnCRAgMBAAGj
gecwgeQwHQYDVR0OBBYEFCx7MBnoiVEhwLGHkBTX8uFKKr+IME8GA1UdIwRIMEaA
FCx7MBnoiVEhwLGHkBTX8uFKKr+IoSOkITAfMQswCQYDVQQGEwJDSDEQMA4GA1UE
AxMHV2lzZWNDQYIJALPbGX/dyTiVMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQD
AgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAJBgNVHREEAjAAMAkGA1UdEgQCMAAwKwYJ
YIZIAYb4QgENBB4WHFRpbnlDQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwDQYJKoZI
hvcNAQEEBQADggEBAHNzMgNu551zY2m/Cw4M/6Q6D6NoUmRbOwgI0IjjyGu2bc58
8bv+3qcBW6KKI0HVFwUptFMyOBV7Tagr7Eudn6NLCdaZmsVtGEW+/UyfI0Desxyi
siKOXlc0Q+UROyk4JixOADC43c7j0OzNAGTlUuf4gvXW8VKAfVlRVsm4ptc6Isi9
PBTVDOOhpS87EAeOfsCWXfEsSmwHGT/EpRPNh4lYPgmjr19rqF2hXKXH7TF/OFuS
30WN4YEYtqgLIwMW6dmxeCiKnazzZgivvavaM7uzAwbHg3FrV2QMrb/yO7QqdFfQ
b+0gvQW2ESbxifIDZPZx2scLMWuYuA5ubqHPITo=
-----END CERTIFICATE-----
-----BEGIN X509 CRL-----
MIIB9DCB3TANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJDSDEQMA4GA1UEAxMH
V2lzZWNDQRcNMDUwNTE5MTEyODIwWhcNMDUwNjE4MTEyODIwWjCBjDASAgEBFw0w
NTA0MjAxMTI5MDJaMBICAQIXDTA1MDQyMDExMjkyMVowEgIBBBcNMDUwNDIwMTEw
NjEwWjASAgEFFw0wNTA0MTUxNDEyMTJaMBICAQYXDTA1MDQxNTE0MzI0NVowEgIB
CBcNMDUwNDIwMTExNTI2WjASAgEJFw0wNTA0MjAxMjE0NDZaMA0GCSqGSIb3DQEB
BAUAA4IBAQAjmIKSGqsclji8bwhy7y0CBYc9ray+LfTmUqBWP5aNWjfNrzLO9Rjs
GA/9fnE913FQ15KvZ4h8wHPqNBTee3+gJDi3vcGR4F1zvSEHtJ3r+VS6Mr+LtPZ4
9hfTkUPSMfQX7KpMdzXETlL2DG9VtWJqGHBEijhc5oGCu28Ug+bcI5W+GvFBGkPP
o7rK42pZGHCUB0F2RtEsKIhmKS116zk+pyD8CFcyU+J66y587iATjcqUgpUeAWAn
vaLo7kcrjNvZQBJmWdb86aklhWBTh92Hc4yS8c0iEfiBF/nZNP0WnGmLf/Y1jgsg
iLc0HCWuS83bimCsYqWCecgPODqBrHfQ
-----END X509 CRL-----
the error message of the freeradius server is:
EAP-Message =
0x079e733e05dfe7ac7708ad24f76e991546ceac3945caf1ca9a137659
NAS-IP-Address = 192.168.1.253
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
--> verify error:num=23:certificate revoked
chain-depth=0,
error=23
--> User-Name = jonas
--> BUF-Name = Kom
--> subject = /C=CH/CN=Kom/[EMAIL PROTECTED]
--> issuer = /C=CH/CN=WisecCA
--> verify return:0
TLS Alert write:fatal:certificate revoked
TLS_accept:error in SSLv3 read client certificate B
23565:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned:s3_srvr.c:2021:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
Sending Access-Challenge of id 6 to 152.96.235.100:1259
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010700110d80000000071503010002022c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6c39aacc0c38541eaf1612acfd676fd0
rad_recv: Access-Request packet from host 152.96.235.100:1259, id=7, length=202
Message-Authenticator = 0xe47621ea9f44fb2fb99e8b9f7393eafa
Service-Type = Framed-User
User-Name = "jonas"
Framed-MTU = 1488
State = 0x6c39aacc0c38541eaf1612acfd676fd0
Called-Station-Id = "00-06-B1-12-65-01:wisec"
Calling-Station-Id = "00-0F-A3-1D-A6-D6"
NAS-Identifier = "SonicPoint 126500"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11a"
EAP-Message = 0x020700060d00
NAS-IP-Address = 192.168.1.253
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
rlm_eap_tls: Received EAP-TLS ACK message
rad_recv: Access-Request packet from host 152.96.235.100:1259, id=7, length=202
Sending Access-Reject of id 7 to 152.96.235.100:1259
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
all certificates aren't revoked in the crl!
thanks for reply
alain
> There are no "crl_dir" and "crl" configuration options recognized by the
> server. You must have added those. The correct way to do this is to
> add the PEM encoded CRL to the end of your PEM encoded CA certificate,
> referenced by the CA_file configuation option, then set check_crl = yes.
>
> --Mike
>
>
> [EMAIL PROTECTED] wrote:
>
> >Have no one a solution of this problem?
> >
> >thanks for help
> >
> >Alain
> >
> >
> >
> >>Hi,
> >>
> >>I work with freeradius 1.0.2
> >>
> >>If I configure in the TLS section of eap.conf (without this entries the
> >>autentification process works fine)
> >>
> >>CA_path = /path
> >>check_crl = yes
> >>crl_dir = /path
> >>crl = file
> >>
> >>Not any certificate is accepted (I generate the certificates and the crl
> >>with
> >>tinyca).
> >>
> >>How can I configure the eap.conf that the autentification process would
> work
> >>correctly?
> >>
> >>Does anyone have a working EAP/TLS autentification where the CRL works?
> >>
> >>Thanks for help
> >>
> >>Alain
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> >
> >
> >-
> >List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
