Re: EAP-TLS CRL checking when multiple CAs used
Hi all, problem has been on my side. I miss to add another one CRL into certs directory. Thank you for all your help! Best regards, — Martin Čmelík 2011/11/14 Martin Čmelík martin.cme...@gmail.com: Hi Alan, I did, there is nothing about it. Only this: # Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. # 2) Execute 'c_rehash CA certsCRLs Directory'. # 'c_rehash' is OpenSSL's command. # 3) uncomment the line below. # 5) Restart radiusd # check_crl = yes We have all CAs in ca.pem and CRL lists in separate file crl1.pem+.der, crl2.pem+.der, ect... Stefan, that's what I did. OK I will try to do same thing with previous configuration. Maybe that I miss something. Thank you — Martin Čmelík 2011/11/14 Alan DeKok al...@deployingradius.com: Martin Čmelík wrote: Question is: When Freeradius receive user certificate how daemon find correct CRL list in certs directory? Read raddb/eap.conf. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS CRL checking when multiple CAs used
Hi,
nobody knows how setup freeradius to check new CRL lists? Should I
provide more information (it is not easy to take output from radiusd
-X, but if it is essential I can try it)?
Thank you for any suggestion
—
Martin Čmelík
2011/11/10 Martin Čmelík martin.cme...@gmail.com:
Hi,
I downloaded current stable freeradius version 2.1.12 and import
configuration from old server (rewrite etc/raddb).
Everything seems to be OK, but I must now add another two trusted CAs
into ca.pem and also enable checking against CRL files as for other.
Lets say that eap.conf is setup by default:
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
check_crl = yes
CA_path = ${cadir}
cipher_list = DEFAULT
make_cert_command = ${certdir}/bootstrap
ecdh_curve = prime256v1
cache {
enable = no
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = http://127.0.0.1/ocsp/;
}
One of our script downloading CRL files every 20 minutes, move them to
certs directory and c_rehash them.
It works for old certificates (4x CAs) but doesn't work for two which I add
now.
When somebody with certificate issued by new CA try to login I see
this error in log:
Thu Nov 10 12:56:51 2011 : Error: -- verify error:num=3:unable to get
certificate CRL
Thu Nov 10 12:56:51 2011 : Auth: Login incorrect (unable to get
certificate CRL): [John Smith] (from client some-device port 29 cli
AA-BB-CC-DD-EE-FF)
Hash are generated well:
lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 21e0d39d.r0 - crl3.pem
lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 3cc8c9a0.r0 - crl6.pem
lrwxrwxrwx 1 radius radius 20 Nov 10 16:19 5a64316f.0 - radius.crt
lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 5be750ed.r0 - crl2.pem
lrwxrwxrwx 1 radius radius 20 Nov 10 16:19 68db0f86.0 - radius.pem
lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 92b2a332.r0 - crl5.pem
lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 b0f3e76e.r0 - crl4.pem
lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 f31b716b.r0 - crl1.pem
lrwxrwxrwx 1 radius radius 6 Nov 10 16:19 f6efabfa.0 - ca.pem
...
My question is: How freeradius find correct CRL list and check if user
certificate is still valid?
This radius server has been setup by colleague many years ago and he
cant remember how he do this :]
Thank you very much because there is lack of any information about it
on Internet
—
Martin Čmelík
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS CRL checking when multiple CAs used
Martin Čmelík wrote: nobody knows how setup freeradius to check new CRL lists? FreeRADIUS uses OpenSSL for CRLs (and everything SSL). OpenSSL does not support dynamically adding CRLs at run time. See the ocsp support in 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS CRL checking when multiple CAs used
Hi, maybe that I explain it wrong. We have now 4 CAs and 4 CRL lists where checking against them working fine. I must add two new CAs (into ca.pam as others), but Freeradius cant compare User certificate against correct crl list (crl5.pam, crl6.pam). Question is: When Freeradius receive user certificate how daemon find correct CRL list in certs directory? Thank you — Martin Čmelík 2011/11/14 Alan DeKok al...@deployingradius.com: Martin Čmelík wrote: nobody knows how setup freeradius to check new CRL lists? FreeRADIUS uses OpenSSL for CRLs (and everything SSL). OpenSSL does not support dynamically adding CRLs at run time. See the ocsp support in 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS CRL checking when multiple CAs used
Martin Čmelík wrote: Question is: When Freeradius receive user certificate how daemon find correct CRL list in certs directory? Read raddb/eap.conf. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS CRL checking when multiple CAs used
Hi, Question is: When Freeradius receive user certificate how daemon find correct CRL list in certs directory? The CRL needs to be in the same directory as the CAs, and needs to be hashed with c_rehash just like the CA certs. CRLs automatically get the hash suffix .r0 instead of .0. You will still need to restart FreeRADIUS after downloading a new CRL; re-reading them at runtime is not possible due to glorious openSSL. Stefan Thank you — Martin Čmelík 2011/11/14 Alan DeKok al...@deployingradius.com: Martin Čmelík wrote: nobody knows how setup freeradius to check new CRL lists? FreeRADIUS uses OpenSSL for CRLs (and everything SSL). OpenSSL does not support dynamically adding CRLs at run time. See the ocsp support in 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS CRL checking when multiple CAs used
Hi Alan, I did, there is nothing about it. Only this: # Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. # 2) Execute 'c_rehash CA certsCRLs Directory'. #'c_rehash' is OpenSSL's command. # 3) uncomment the line below. # 5) Restart radiusd # check_crl = yes We have all CAs in ca.pem and CRL lists in separate file crl1.pem+.der, crl2.pem+.der, ect... Stefan, that's what I did. OK I will try to do same thing with previous configuration. Maybe that I miss something. Thank you — Martin Čmelík 2011/11/14 Alan DeKok al...@deployingradius.com: Martin Čmelík wrote: Question is: When Freeradius receive user certificate how daemon find correct CRL list in certs directory? Read raddb/eap.conf. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS CRL checking when multiple CAs used
Hi,
I downloaded current stable freeradius version 2.1.12 and import
configuration from old server (rewrite etc/raddb).
Everything seems to be OK, but I must now add another two trusted CAs
into ca.pem and also enable checking against CRL files as for other.
Lets say that eap.conf is setup by default:
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
check_crl = yes
CA_path = ${cadir}
cipher_list = DEFAULT
make_cert_command = ${certdir}/bootstrap
ecdh_curve = prime256v1
cache {
enable = no
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = http://127.0.0.1/ocsp/;
}
One of our script downloading CRL files every 20 minutes, move them to
certs directory and c_rehash them.
It works for old certificates (4x CAs) but doesn't work for two which I add now.
When somebody with certificate issued by new CA try to login I see
this error in log:
Thu Nov 10 12:56:51 2011 : Error: -- verify error:num=3:unable to get
certificate CRL
Thu Nov 10 12:56:51 2011 : Auth: Login incorrect (unable to get
certificate CRL): [John Smith] (from client some-device port 29 cli
AA-BB-CC-DD-EE-FF)
Hash are generated well:
lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 21e0d39d.r0 - crl3.pem
lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 3cc8c9a0.r0 - crl6.pem
lrwxrwxrwx 1 radius radius 20 Nov 10 16:19 5a64316f.0 - radius.crt
lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 5be750ed.r0 - crl2.pem
lrwxrwxrwx 1 radius radius 20 Nov 10 16:19 68db0f86.0 - radius.pem
lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 92b2a332.r0 - crl5.pem
lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 b0f3e76e.r0 - crl4.pem
lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 f31b716b.r0 - crl1.pem
lrwxrwxrwx 1 radius radius 6 Nov 10 16:19 f6efabfa.0 - ca.pem
...
My question is: How freeradius find correct CRL list and check if user
certificate is still valid?
This radius server has been setup by colleague many years ago and he
cant remember how he do this :]
Thank you very much because there is lack of any information about it
on Internet
—
Martin Čmelík
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
