Hi,
Looking at NET-SSLeay-1.55 I found there are now more low level CRL
functions Low level API- X509_CRL_- related functions. Are they or will they
be included in a newer Radiator release to clear a CRL and re-load it correctly
without server restart ?
Thank you
Markus
From: Markus Moeller
Sent: Saturday, September 28, 2013 2:55 PM
To: radiator@open.com.au
Subject: Re: [RADIATOR] CRL reload question
And openssl is 0.9.8x.
From: Markus Moeller
Sent: Saturday, September 28, 2013 2:45 PM
To: radiator@open.com.au
Subject: Re: [RADIATOR] CRL reload question
I forgot to say that I use Radiator 4.9
Markus
From: Markus Moeller
Sent: Saturday, September 28, 2013 2:30 PM
To: radiator@open.com.au
Subject: [RADIATOR] CRL reload question
Hi,
I have a setup for EAP TLS using CRLs and have the problem that an updated
CRL is not correctly re-read in some particular situations when the CRL was
expired for a moment. The setup is as follows:
<AuthBy FILE>
Identifier EapTLS
# the file is used to check usernames (assuming EAP-TLS certificate checks
pass):
Filename %D/wlan_users
EAPType TLS
# WLAN Additional Certificate Check
EAPTLS_CertificateVerifyHook file:"%D/hooks/check.pl"
# WLAN root CAs
EAPTLS_CAFile %{GlobalVar:CertsDir}/all-CAs.pem
EAPTLS_CertificateType PEM
# Radiator Cert
EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server_cert.pem
# Radiator private key
EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server_cert.key
EAPTLS_MaxFragmentSize 1000
EAPTLS_CRLCheck
EAPTLS_CRLFile %{GlobalVar:CertsDir}/CA-crl.pem
AutoMPPEKeys
</AuthBy>
Usually when a client connects I get:
Wed Sep 18 07:46:04 2013: DEBUG: (Re)loading CRL file
'/var/opt/certs/CA-crl.pem'
Wed Sep 18 07:46:04 2013: ERR: Failed to add CRL file
'/var/opt/certs/CA-crl.pem': error:0B07D065:x509 certificate
routines:X509_STORE_add_crl:cert already in hash table
which despite the error seem to read any updated CRL. ( Or do I have this wrong
? Is this only because it reads the same CRL not an updated CRL)
Now the CRL is downloaded on an hourly basis and in the situation where the CRL
expired during that hour and a client connects I get the error
CRL has expired, 7159: 1 - error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
which I expect, but I would also think that after the new CRL is downloaded
(latest an hour after expiry) the new update CRL should be loaded. If not what
would be the recommended way to read a new/updated CRL ?
Thank you
Markus
--------------------------------------------------------------------------------
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--------------------------------------------------------------------------------
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--------------------------------------------------------------------------------
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
