All,
I suppose I should also provide the details I have in the Radiator
configuration:
Protocol tcp
UseTLS
TLS_Protocols TLSv1.2
Secret radsec
TLS_CAFile %D/cert/roaming-eduPKI-CA.crt
TLS_CertificateFile %D/cert/hostname-eduPKI.pem
TLS_CertificateType PEM
TLS_PrivateKeyFile %D/cert/hostname-key.pem
TLS_PolicyOID [redacted]
TLS_RequireClientCert
TLS_Ciphers [redacted]
TLS_OCSPCheck
TLS_OCSPStapling
# TLS_CRLCheck
# TLS_CRLFile %D/cert/cacrl.pem
I would have thought that the TLS_CAFile value would be used by -issuer and
-CAfile. I suspect by the error message displayed, that the -CAfile value
is not being supplied (and the CA assumed to be in the default CA
directory)...
As before, thoughts are much appreciated :-)
Stefan
On Tue, 15 Aug 2023 at 21:32, Stefan Paetow (OpenSource) <o...@eons.net>
wrote:
> Hi there,
>
> So, I've tried to use OCSP validation with the certificates issued by
> eduPKI (so this covers the majority of eduroam national operators and some
> identity providers). Radiator didn't like it and kicked up failures.
>
> I then tried manually verifying and that succeeds, using this
> command-line:
>
> openssl ocsp -issuer /etc/radiator/cert/roaming-eduPKI-CA.crt -cert
> /etc/radiator/cert/hostname-eduPKI.pem -CAfile
> /etc/radiator/cert/roaming-eduPKI-CA.crt -url
> http://ocsp.edupki.org/OCSP-Server/OCSP
>
> The URL is obviously retrieved from the certificate, but it appears
> there's something missing when Radiator tries to do an OCSP verify.
>
> Thoughts?
>
> With kind regards
>
> Stefan
>
>
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator
