Hi, I'm doing something wrong with my Certificate Revocation List but I can't seem to understand what.
I'm using freeradius 2.1.7 and openssl 0.9.8k. I'm self-signing the certificates. With "check_crl = no" everything works well. However, authentication does not work with "check_crl = yes" and I get an "unable to get certificate CRL" error. How can I debug this and understand why it can't get the CRL? Here are the steps I perform: # cd /etc/ssl # openssl ca -gencrl -keyfile FHM-CA/certs/radius_client_D_831_key.pem -cert FHM-CA/certs/radius_client_D_831_cert.pem -out FHM-CA/crl/FHM_crl.pem -crldays 60 # c_rehash FHM-CA/crl # cp FHM-CA/cacert.pem /etc/raddb/certs/FHM/ # cat FHM-CA/crl/FHM_crl.pem >> /etc/raddb/certs/FHM/cacert.pem # openssl verify -CApath FHM-CA/crl FHM-CA/crl/radius_client_D_831_cert.pem FHM-CA/crl/radius_client_D_831_cert.pem: OK eap.conf tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = xxxxx private_key_file = ${certdir}/FHM/radius_server_keycert.pem certificate_file = ${certdir}/FHM/radius_server_keycert.pem CA_file = ${cadir}/FHM/cacert.pem dh_file = ${certdir}/FHM/dh random_file = ${certdir}/FHM/random # Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. # 2) Execute 'c_rehash <CA certs&CRLs Directory>'. # 'c_rehash' is OpenSSL's command. # 3) uncomment the line below. # 5) Restart radiusd check_crl = yes CA_path = /etc/ssl/FHM-CA/crl/ crl_file = /etc/ssl/FHM-CA/crl/FHM_crl.pem crl_path = /etc/ssl/FHM-CA/crl/FHM_crl.pem The supplicant has the radius_client_D_831_cert.p12 certificate but I get this error on the freeradius server: +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 1812 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 05fe], Certificate --> verify error:num=3:unable to get certificate CRL [peap] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation Any ideas are greatly appreciated. Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html