Re: [RADIATOR] CRL reload question

2013-10-31 Thread Heikki Vatiainen 
On 10/31/2013 10:16 AM, Hartmaier Alexander wrote:
> This is a more human friendly output:
> 
> /$path/to/perl/used/by/radiator/perl -MNet::SSLeay -E 'say
> Net::SSLeay::SSLeay_version()'

I'd say it's a good idea to try both: this will tell if the perl run
manually uses the same components as the perl that runs Radiator.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] CRL reload question

2013-10-31 Thread Hartmaier Alexander 
This is a more human friendly output:

/$path/to/perl/used/by/radiator/perl -MNet::SSLeay -E 'say
Net::SSLeay::SSLeay_version()'

On 2013-10-30 23:25, Markus Moeller wrote:
> Hi Heikki,
>
>Thank you for that.  Despite my attempts to use the latest static openssl
> library I used an old one :-(. I will retest.
>
> Markus
>
> -Original Message-
> From: Heikki Vatiainen
> Sent: Wednesday, October 30, 2013 9:20 PM
> To: Markus Moeller ; radiator@open.com.au
> Subject: Re: [RADIATOR] CRL reload question
>
> On 10/30/2013 10:39 PM, Markus Moeller wrote:
>
>>  I have linked it statically to avoid mixup with system libraries. There
>> is no way to check it in another way is there ?
> If you have Net::SSLeay newer than 1.42, try putting this in Radiator
> configuration:
>
> StartupHook sub { use Net::SSLeay; main::log($main::LOG_INFO, \
>   "SSL version: " . \
>   sprintf("0x%x", Net::SSLeay::SSLeay())); }
>
> You should find something like this from Radiator logs:
>
>INFO: SSL version: 0x1000100f
>
> See this for more info:
> http://search.cpan.org/~mikem/Net-SSLeay-1.55/lib/Net/SSLeay.pod#Low_level_API:_Version_related_functions
>
> Thanks,
> Heikki
>
>
>> Markus
>>
>> -Original Message- From: Heikki Vatiainen
>> Sent: Wednesday, October 30, 2013 5:11 PM
>> To: Markus Moeller ; radiator@open.com.au
>> Subject: Re: [RADIATOR] CRL reload question
>>
>> On 10/29/2013 12:41 AM, Markus Moeller wrote:
>>
>>>   I still get the same error with openssl 1.0.1. The CRL on disk is new,
>>> but radiator says CRL is expired. Radiator also gives a reload CRL error
>>> saying the CRL alredy exists.
>> Hello Markus,
>>
>> can you do one more test? Check with 'ldd
>> /path/to/auto/Net/SSLeay/SSLeay.so' that it links against the OpenSSL
>> libs you expect it to.
>>
>> Thanks,
>> Heikki
>>
>>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>>> '/opt/radiator/etc/certs/crls/User_CA_1.pem'
>>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>>> '/opt/radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509
>>> certificate routines:X509_STORE_add_crl:cert already in hash table
>>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>>> '/opt/radiator/etc/certs/crls/User_CA_2.pem'
>>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>>> '/opt/radiator/etc/certs/crls/User_CA_2.pem': error:0B07D065:x509
>>> certificate routines:X509_STORE_add_crl:cert already in hash table
>>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>>> '/opt/radiator/etc/certs/crls/User_CA_4.pem'
>>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>>> '/opt/radiator/etc/certs/crls/User_CA_4.pem': error:0B07D065:x509
>>> certificate routines:X509_STORE_add_crl:cert already in hash table
>>> Mon Oct 28 22:20:52 2013: INFO: EAP TLS certificate verification failed:
>>> CRL has expired,  19868: 1 - error:140890B2:SSL
>>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>> Mon Oct 28 22:21:23 2013: INFO: EAP TLS certificate verification failed:
>>> CRL has expired,  19868: 1 - error:140890B2:SSL
>>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>>
>>> # ls -al User_CA_2.pem
>>> -rwxrwxrwx   1 root root   70699 Oct 28 21:55 User_CA_2.pem
>>>
>>> # /usr/sfw/bin/openssl crl -in User_CA_2.pem -noout -lastupdate
>>> -nextupdate
>>> lastUpdate=Oct 28 19:26:37 2013 GMT
>>> nextUpdate=Nov 11 19:26:37 2013 GMT
>>>
>>>
>>>
>>> Markus
>>>
>>> -Original Message- From: Markus Moeller
>>> Sent: Monday, September 30, 2013 10:50 PM
>>> To: Heikki Vatiainen ; radiator@open.com.au
>>> Subject: Re: [RADIATOR] CRL reload question
>>>
>>> Hi Heikki,
>>>
>>>   OK I'll try with a later 1.x version.
>>>
>>> Thank you
>>> Markus
>>>
>>> -Original Message- From: Heikki Vatiainen
>>> Sent: Monday, September 30, 2013 10:18 PM
>>> To: radiator@open.com.au
>>> Subject: Re: [RADIATOR] CRL reload question
>>>
>>> On 09/29/2013 04:52 PM, Markus Moeller wrote:
>>>
>>>>I would  expect  something like this:
>>>>
>>>> If error "already in hashtable"
>>>>
>>>> $self->log($

Re: [RADIATOR] CRL reload question

2013-10-30 Thread Markus Moeller 
Hi Heikki,

   Thank you for that.  Despite my attempts to use the latest static openssl 
library I used an old one :-(. I will retest.

Markus

-Original Message- 
From: Heikki Vatiainen
Sent: Wednesday, October 30, 2013 9:20 PM
To: Markus Moeller ; radiator@open.com.au
Subject: Re: [RADIATOR] CRL reload question

On 10/30/2013 10:39 PM, Markus Moeller wrote:

>  I have linked it statically to avoid mixup with system libraries. There
> is no way to check it in another way is there ?

If you have Net::SSLeay newer than 1.42, try putting this in Radiator
configuration:

StartupHook sub { use Net::SSLeay; main::log($main::LOG_INFO, \
  "SSL version: " . \
  sprintf("0x%x", Net::SSLeay::SSLeay())); }

You should find something like this from Radiator logs:

   INFO: SSL version: 0x1000100f

See this for more info:
http://search.cpan.org/~mikem/Net-SSLeay-1.55/lib/Net/SSLeay.pod#Low_level_API:_Version_related_functions

Thanks,
Heikki


> Markus
>
> -Original Message- From: Heikki Vatiainen
> Sent: Wednesday, October 30, 2013 5:11 PM
> To: Markus Moeller ; radiator@open.com.au
> Subject: Re: [RADIATOR] CRL reload question
>
> On 10/29/2013 12:41 AM, Markus Moeller wrote:
>
>>   I still get the same error with openssl 1.0.1. The CRL on disk is new,
>> but radiator says CRL is expired. Radiator also gives a reload CRL error
>> saying the CRL alredy exists.
>
> Hello Markus,
>
> can you do one more test? Check with 'ldd
> /path/to/auto/Net/SSLeay/SSLeay.so' that it links against the OpenSSL
> libs you expect it to.
>
> Thanks,
> Heikki
>
>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_1.pem'
>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509
>> certificate routines:X509_STORE_add_crl:cert already in hash table
>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_2.pem'
>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_2.pem': error:0B07D065:x509
>> certificate routines:X509_STORE_add_crl:cert already in hash table
>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_4.pem'
>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_4.pem': error:0B07D065:x509
>> certificate routines:X509_STORE_add_crl:cert already in hash table
>> Mon Oct 28 22:20:52 2013: INFO: EAP TLS certificate verification failed:
>> CRL has expired,  19868: 1 - error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>> Mon Oct 28 22:21:23 2013: INFO: EAP TLS certificate verification failed:
>> CRL has expired,  19868: 1 - error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>
>> # ls -al User_CA_2.pem
>> -rwxrwxrwx   1 root root   70699 Oct 28 21:55 User_CA_2.pem
>>
>> # /usr/sfw/bin/openssl crl -in User_CA_2.pem -noout -lastupdate
>> -nextupdate
>> lastUpdate=Oct 28 19:26:37 2013 GMT
>> nextUpdate=Nov 11 19:26:37 2013 GMT
>>
>>
>>
>> Markus
>>
>> -Original Message- From: Markus Moeller
>> Sent: Monday, September 30, 2013 10:50 PM
>> To: Heikki Vatiainen ; radiator@open.com.au
>> Subject: Re: [RADIATOR] CRL reload question
>>
>> Hi Heikki,
>>
>>   OK I'll try with a later 1.x version.
>>
>> Thank you
>> Markus
>>
>> -Original Message- From: Heikki Vatiainen
>> Sent: Monday, September 30, 2013 10:18 PM
>> To: radiator@open.com.au
>> Subject: Re: [RADIATOR] CRL reload question
>>
>> On 09/29/2013 04:52 PM, Markus Moeller wrote:
>>
>>>I would  expect  something like this:
>>>
>>> If error "already in hashtable"
>>>
>>> $self->log($main::LOG_ERR, "Free old entray and add new CRL";
>>>
>>
>> Hello Markus,
>>
>> we have not looked at CRL reloading lately so I can not tell if the new
>> functions would help with CRL reloading. However, a quick look at
>> OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently
>> in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x
>> and 1.0.0 look promising (OpenSSL changelog):
>>
>>  *) Allow multiple CRLs to exist in an X509_STORE with matching issuer
>> names.
>> Modify get_crl() to find a valid (unexpired) CRL i

Re: [RADIATOR] CRL reload question

2013-10-30 Thread Heikki Vatiainen 
On 10/30/2013 10:39 PM, Markus Moeller wrote:

>  I have linked it statically to avoid mixup with system libraries. There
> is no way to check it in another way is there ?

If you have Net::SSLeay newer than 1.42, try putting this in Radiator
configuration:

StartupHook sub { use Net::SSLeay; main::log($main::LOG_INFO, \
  "SSL version: " . \
  sprintf("0x%x", Net::SSLeay::SSLeay())); }

You should find something like this from Radiator logs:

   INFO: SSL version: 0x1000100f

See this for more info:
http://search.cpan.org/~mikem/Net-SSLeay-1.55/lib/Net/SSLeay.pod#Low_level_API:_Version_related_functions

Thanks,
Heikki


> Markus
> 
> -Original Message- From: Heikki Vatiainen
> Sent: Wednesday, October 30, 2013 5:11 PM
> To: Markus Moeller ; radiator@open.com.au
> Subject: Re: [RADIATOR] CRL reload question
> 
> On 10/29/2013 12:41 AM, Markus Moeller wrote:
> 
>>   I still get the same error with openssl 1.0.1. The CRL on disk is new,
>> but radiator says CRL is expired. Radiator also gives a reload CRL error
>> saying the CRL alredy exists.
> 
> Hello Markus,
> 
> can you do one more test? Check with 'ldd
> /path/to/auto/Net/SSLeay/SSLeay.so' that it links against the OpenSSL
> libs you expect it to.
> 
> Thanks,
> Heikki
> 
>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_1.pem'
>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509
>> certificate routines:X509_STORE_add_crl:cert already in hash table
>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_2.pem'
>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_2.pem': error:0B07D065:x509
>> certificate routines:X509_STORE_add_crl:cert already in hash table
>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_4.pem'
>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_4.pem': error:0B07D065:x509
>> certificate routines:X509_STORE_add_crl:cert already in hash table
>> Mon Oct 28 22:20:52 2013: INFO: EAP TLS certificate verification failed:
>> CRL has expired,  19868: 1 - error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>> Mon Oct 28 22:21:23 2013: INFO: EAP TLS certificate verification failed:
>> CRL has expired,  19868: 1 - error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>
>> # ls -al User_CA_2.pem
>> -rwxrwxrwx   1 root root   70699 Oct 28 21:55 User_CA_2.pem
>>
>> # /usr/sfw/bin/openssl crl -in User_CA_2.pem -noout -lastupdate
>> -nextupdate
>> lastUpdate=Oct 28 19:26:37 2013 GMT
>> nextUpdate=Nov 11 19:26:37 2013 GMT
>>
>>
>>
>> Markus
>>
>> -Original Message- From: Markus Moeller
>> Sent: Monday, September 30, 2013 10:50 PM
>> To: Heikki Vatiainen ; radiator@open.com.au
>> Subject: Re: [RADIATOR] CRL reload question
>>
>> Hi Heikki,
>>
>>   OK I'll try with a later 1.x version.
>>
>> Thank you
>> Markus
>>
>> -Original Message- From: Heikki Vatiainen
>> Sent: Monday, September 30, 2013 10:18 PM
>> To: radiator@open.com.au
>> Subject: Re: [RADIATOR] CRL reload question
>>
>> On 09/29/2013 04:52 PM, Markus Moeller wrote:
>>
>>>I would  expect  something like this:
>>>
>>> If error "already in hashtable"
>>>
>>> $self->log($main::LOG_ERR, "Free old entray and add new CRL";
>>>
>>
>> Hello Markus,
>>
>> we have not looked at CRL reloading lately so I can not tell if the new
>> functions would help with CRL reloading. However, a quick look at
>> OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently
>> in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x
>> and 1.0.0 look promising (OpenSSL changelog):
>>
>>  *) Allow multiple CRLs to exist in an X509_STORE with matching issuer
>> names.
>> Modify get_crl() to find a valid (unexpired) CRL if possible.
>> [Steve Henson]
>>
>>  *) New function X509_CRL_match() to check if two CRLs are identical.
>> Normally
>> this would be called X509_CRL_cmp() but that name is already used by
>> a function that just compares CRL issuer names. Cache several CRL
>>

Re: [RADIATOR] CRL reload question

2013-10-30 Thread Markus Moeller 
Hi Heikki,

  I have linked it statically to avoid mixup with system libraries. There is 
no way to check it in another way is there ?

Markus

-Original Message- 
From: Heikki Vatiainen
Sent: Wednesday, October 30, 2013 5:11 PM
To: Markus Moeller ; radiator@open.com.au
Subject: Re: [RADIATOR] CRL reload question

On 10/29/2013 12:41 AM, Markus Moeller wrote:

>   I still get the same error with openssl 1.0.1. The CRL on disk is new,
> but radiator says CRL is expired. Radiator also gives a reload CRL error
> saying the CRL alredy exists.

Hello Markus,

can you do one more test? Check with 'ldd
/path/to/auto/Net/SSLeay/SSLeay.so' that it links against the OpenSSL
libs you expect it to.

Thanks,
Heikki

> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
> '/opt/radiator/etc/certs/crls/User_CA_1.pem'
> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
> '/opt/radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509
> certificate routines:X509_STORE_add_crl:cert already in hash table
> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
> '/opt/radiator/etc/certs/crls/User_CA_2.pem'
> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
> '/opt/radiator/etc/certs/crls/User_CA_2.pem': error:0B07D065:x509
> certificate routines:X509_STORE_add_crl:cert already in hash table
> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
> '/opt/radiator/etc/certs/crls/User_CA_4.pem'
> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
> '/opt/radiator/etc/certs/crls/User_CA_4.pem': error:0B07D065:x509
> certificate routines:X509_STORE_add_crl:cert already in hash table
> Mon Oct 28 22:20:52 2013: INFO: EAP TLS certificate verification failed:
> CRL has expired,  19868: 1 - error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> Mon Oct 28 22:21:23 2013: INFO: EAP TLS certificate verification failed:
> CRL has expired,  19868: 1 - error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>
> # ls -al User_CA_2.pem
> -rwxrwxrwx   1 root root   70699 Oct 28 21:55 User_CA_2.pem
>
> # /usr/sfw/bin/openssl crl -in 
> User_CA_2.pem -noout -lastupdate -nextupdate
> lastUpdate=Oct 28 19:26:37 2013 GMT
> nextUpdate=Nov 11 19:26:37 2013 GMT
>
>
>
> Markus
>
> -Original Message- From: Markus Moeller
> Sent: Monday, September 30, 2013 10:50 PM
> To: Heikki Vatiainen ; radiator@open.com.au
> Subject: Re: [RADIATOR] CRL reload question
>
> Hi Heikki,
>
>   OK I'll try with a later 1.x version.
>
> Thank you
> Markus
>
> -Original Message- From: Heikki Vatiainen
> Sent: Monday, September 30, 2013 10:18 PM
> To: radiator@open.com.au
> Subject: Re: [RADIATOR] CRL reload question
>
> On 09/29/2013 04:52 PM, Markus Moeller wrote:
>
>>I would  expect  something like this:
>>
>> If error "already in hashtable"
>>
>> $self->log($main::LOG_ERR, "Free old entray and add new CRL";
>>
>
> Hello Markus,
>
> we have not looked at CRL reloading lately so I can not tell if the new
> functions would help with CRL reloading. However, a quick look at
> OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently
> in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x
> and 1.0.0 look promising (OpenSSL changelog):
>
>  *) Allow multiple CRLs to exist in an X509_STORE with matching issuer
> names.
> Modify get_crl() to find a valid (unexpired) CRL if possible.
> [Steve Henson]
>
>  *) New function X509_CRL_match() to check if two CRLs are identical.
> Normally
> this would be called X509_CRL_cmp() but that name is already used by
> a function that just compares CRL issuer names. Cache several CRL
> extensions in X509_CRL structure and cache CRLDP in X509.
> [Steve Henson]
>
> If you plan to test this, can you see if you get different results with
> OpenSSL 1.0.x versions than 0.9.8x?
>
> Thanks,
> Heikki
>
>> loop over objects
>> my $idx = 0 ?
>> for (i = $idx ; i< $cert_store->num; i++) {
>>my $obj -> $cert_store->data[i];
>>if (obj->data.crl == $crl->data.crl) {
>>&Net::SSLeay::X509_CRL_free($obj);
>>$obj = Net::SSLeay::X509_CRL_new();
>>$obj->data.crl = $crl;
>>$cert_store->data[i] = $obj;
>>break
>>}
>> }
>>
>> in TLS.pm.  I  haven’t tried it yet as I haven’t got a dev setup ready,
>> but wonder if that looks sensible.
>


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] CRL reload question

2013-10-30 Thread Heikki Vatiainen 
On 10/29/2013 12:41 AM, Markus Moeller wrote:

>   I still get the same error with openssl 1.0.1. The CRL on disk is new,
> but radiator says CRL is expired. Radiator also gives a reload CRL error
> saying the CRL alredy exists.

Hello Markus,

can you do one more test? Check with 'ldd
/path/to/auto/Net/SSLeay/SSLeay.so' that it links against the OpenSSL
libs you expect it to.

Thanks,
Heikki

> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
> '/opt/radiator/etc/certs/crls/User_CA_1.pem'
> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
> '/opt/radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509
> certificate routines:X509_STORE_add_crl:cert already in hash table
> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
> '/opt/radiator/etc/certs/crls/User_CA_2.pem'
> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
> '/opt/radiator/etc/certs/crls/User_CA_2.pem': error:0B07D065:x509
> certificate routines:X509_STORE_add_crl:cert already in hash table
> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
> '/opt/radiator/etc/certs/crls/User_CA_4.pem'
> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
> '/opt/radiator/etc/certs/crls/User_CA_4.pem': error:0B07D065:x509
> certificate routines:X509_STORE_add_crl:cert already in hash table
> Mon Oct 28 22:20:52 2013: INFO: EAP TLS certificate verification failed:
> CRL has expired,  19868: 1 - error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> Mon Oct 28 22:21:23 2013: INFO: EAP TLS certificate verification failed:
> CRL has expired,  19868: 1 - error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> 
> # ls -al User_CA_2.pem
> -rwxrwxrwx   1 root root   70699 Oct 28 21:55 User_CA_2.pem
> 
> # /usr/sfw/bin/openssl crl -in User_CA_2.pem -noout -lastupdate -nextupdate
> lastUpdate=Oct 28 19:26:37 2013 GMT
> nextUpdate=Nov 11 19:26:37 2013 GMT
> 
> 
> 
> Markus
> 
> -----Original Message- From: Markus Moeller
> Sent: Monday, September 30, 2013 10:50 PM
> To: Heikki Vatiainen ; radiator@open.com.au
> Subject: Re: [RADIATOR] CRL reload question
> 
> Hi Heikki,
> 
>   OK I'll try with a later 1.x version.
> 
> Thank you
> Markus
> 
> -Original Message- From: Heikki Vatiainen
> Sent: Monday, September 30, 2013 10:18 PM
> To: radiator@open.com.au
> Subject: Re: [RADIATOR] CRL reload question
> 
> On 09/29/2013 04:52 PM, Markus Moeller wrote:
> 
>>I would  expect  something like this:
>>
>> If error "already in hashtable"
>>
>> $self->log($main::LOG_ERR, "Free old entray and add new CRL";
>>
> 
> Hello Markus,
> 
> we have not looked at CRL reloading lately so I can not tell if the new
> functions would help with CRL reloading. However, a quick look at
> OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently
> in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x
> and 1.0.0 look promising (OpenSSL changelog):
> 
>  *) Allow multiple CRLs to exist in an X509_STORE with matching issuer
> names.
> Modify get_crl() to find a valid (unexpired) CRL if possible.
> [Steve Henson]
> 
>  *) New function X509_CRL_match() to check if two CRLs are identical.
> Normally
> this would be called X509_CRL_cmp() but that name is already used by
> a function that just compares CRL issuer names. Cache several CRL
> extensions in X509_CRL structure and cache CRLDP in X509.
> [Steve Henson]
> 
> If you plan to test this, can you see if you get different results with
> OpenSSL 1.0.x versions than 0.9.8x?
> 
> Thanks,
> Heikki
> 
>> loop over objects
>> my $idx = 0 ?
>> for (i = $idx ; i< $cert_store->num; i++) {
>>my $obj -> $cert_store->data[i];
>>if (obj->data.crl == $crl->data.crl) {
>>&Net::SSLeay::X509_CRL_free($obj);
>>$obj = Net::SSLeay::X509_CRL_new();
>>$obj->data.crl = $crl;
>>$cert_store->data[i] = $obj;
>>break
>>}
>> }
>>
>> in TLS.pm.  I  haven’t tried it yet as I haven’t got a dev setup ready,
>> but wonder if that looks sensible.
> 


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] CRL reload question

2013-10-28 Thread Markus Moeller 
Hi Heikki,

   I still get the same error with openssl 1.0.1. The CRL on disk is new, 
but radiator says CRL is expired. Radiator also gives a reload CRL error 
saying the CRL alredy exists.

Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file 
'/opt/radiator/etc/certs/crls/User_CA_1.pem'
Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file 
'/opt/radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509 
certificate routines:X509_STORE_add_crl:cert already in hash table
Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file 
'/opt/radiator/etc/certs/crls/User_CA_2.pem'
Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file 
'/opt/radiator/etc/certs/crls/User_CA_2.pem': error:0B07D065:x509 
certificate routines:X509_STORE_add_crl:cert already in hash table
Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file 
'/opt/radiator/etc/certs/crls/User_CA_4.pem'
Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file 
'/opt/radiator/etc/certs/crls/User_CA_4.pem': error:0B07D065:x509 
certificate routines:X509_STORE_add_crl:cert already in hash table
Mon Oct 28 22:20:52 2013: INFO: EAP TLS certificate verification failed: CRL 
has expired,  19868: 1 - error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Mon Oct 28 22:21:23 2013: INFO: EAP TLS certificate verification failed: CRL 
has expired,  19868: 1 - error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

# ls -al User_CA_2.pem
-rwxrwxrwx   1 root root   70699 Oct 28 21:55 User_CA_2.pem

# /usr/sfw/bin/openssl crl -in User_CA_2.pem -noout -lastupdate -nextupdate
lastUpdate=Oct 28 19:26:37 2013 GMT
nextUpdate=Nov 11 19:26:37 2013 GMT



Markus

-Original Message- 
From: Markus Moeller
Sent: Monday, September 30, 2013 10:50 PM
To: Heikki Vatiainen ; radiator@open.com.au
Subject: Re: [RADIATOR] CRL reload question

Hi Heikki,

   OK I'll try with a later 1.x version.

Thank you
Markus

-Original Message- 
From: Heikki Vatiainen
Sent: Monday, September 30, 2013 10:18 PM
To: radiator@open.com.au
Subject: Re: [RADIATOR] CRL reload question

On 09/29/2013 04:52 PM, Markus Moeller wrote:

>I would  expect  something like this:
>
> If error "already in hashtable"
>
> $self->log($main::LOG_ERR, "Free old entray and add new CRL";
>

Hello Markus,

we have not looked at CRL reloading lately so I can not tell if the new
functions would help with CRL reloading. However, a quick look at
OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently
in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x
and 1.0.0 look promising (OpenSSL changelog):

  *) Allow multiple CRLs to exist in an X509_STORE with matching issuer
names.
 Modify get_crl() to find a valid (unexpired) CRL if possible.
 [Steve Henson]

  *) New function X509_CRL_match() to check if two CRLs are identical.
Normally
 this would be called X509_CRL_cmp() but that name is already used by
 a function that just compares CRL issuer names. Cache several CRL
 extensions in X509_CRL structure and cache CRLDP in X509.
 [Steve Henson]

If you plan to test this, can you see if you get different results with
OpenSSL 1.0.x versions than 0.9.8x?

Thanks,
Heikki

> loop over objects
> my $idx = 0 ?
> for (i = $idx ; i< $cert_store->num; i++) {
>my $obj -> $cert_store->data[i];
>if (obj->data.crl == $crl->data.crl) {
>&Net::SSLeay::X509_CRL_free($obj);
>$obj = Net::SSLeay::X509_CRL_new();
>$obj->data.crl = $crl;
>$cert_store->data[i] = $obj;
>break
>}
> }
>
> in TLS.pm.  I  haven’t tried it yet as I haven’t got a dev setup ready,
> but wonder if that looks sensible.

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] CRL reload question

2013-09-30 Thread Markus Moeller 
Hi Heikki,

   OK I'll try with a later 1.x version.

Thank you
Markus

-Original Message- 
From: Heikki Vatiainen
Sent: Monday, September 30, 2013 10:18 PM
To: radiator@open.com.au
Subject: Re: [RADIATOR] CRL reload question

On 09/29/2013 04:52 PM, Markus Moeller wrote:

>I would  expect  something like this:
>
> If error "already in hashtable"
>
> $self->log($main::LOG_ERR, "Free old entray and add new CRL";
>

Hello Markus,

we have not looked at CRL reloading lately so I can not tell if the new
functions would help with CRL reloading. However, a quick look at
OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently
in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x
and 1.0.0 look promising (OpenSSL changelog):

  *) Allow multiple CRLs to exist in an X509_STORE with matching issuer
names.
 Modify get_crl() to find a valid (unexpired) CRL if possible.
 [Steve Henson]

  *) New function X509_CRL_match() to check if two CRLs are identical.
Normally
 this would be called X509_CRL_cmp() but that name is already used by
 a function that just compares CRL issuer names. Cache several CRL
 extensions in X509_CRL structure and cache CRLDP in X509.
 [Steve Henson]

If you plan to test this, can you see if you get different results with
OpenSSL 1.0.x versions than 0.9.8x?

Thanks,
Heikki

> loop over objects
> my $idx = 0 ?
> for (i = $idx ; i< $cert_store->num; i++) {
>my $obj -> $cert_store->data[i];
>if (obj->data.crl == $crl->data.crl) {
>&Net::SSLeay::X509_CRL_free($obj);
>$obj = Net::SSLeay::X509_CRL_new();
>$obj->data.crl = $crl;
>$cert_store->data[i] = $obj;
>break
>}
> }
>
> in TLS.pm.  I  haven’t tried it yet as I haven’t got a dev setup ready,
> but wonder if that looks sensible.

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] CRL reload question

2013-09-30 Thread Heikki Vatiainen 
On 09/29/2013 04:52 PM, Markus Moeller wrote:

>I would  expect  something like this:
> 
> If error "already in hashtable"
>
> $self->log($main::LOG_ERR, "Free old entray and add new CRL";
>

Hello Markus,

we have not looked at CRL reloading lately so I can not tell if the new
functions would help with CRL reloading. However, a quick look at
OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently
in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x
and 1.0.0 look promising (OpenSSL changelog):

  *) Allow multiple CRLs to exist in an X509_STORE with matching issuer
names.
 Modify get_crl() to find a valid (unexpired) CRL if possible.
 [Steve Henson]

  *) New function X509_CRL_match() to check if two CRLs are identical.
Normally
 this would be called X509_CRL_cmp() but that name is already used by
 a function that just compares CRL issuer names. Cache several CRL
 extensions in X509_CRL structure and cache CRLDP in X509.
 [Steve Henson]

If you plan to test this, can you see if you get different results with
OpenSSL 1.0.x versions than 0.9.8x?

Thanks,
Heikki

> loop over objects
> my $idx = 0 ?
> for (i = $idx ; i< $cert_store->num; i++) {
>my $obj -> $cert_store->data[i];
>if (obj->data.crl == $crl->data.crl) {
>&Net::SSLeay::X509_CRL_free($obj);
>$obj = Net::SSLeay::X509_CRL_new();   
>$obj->data.crl = $crl;
>$cert_store->data[i] = $obj;   
>break
>}
> }
>  
> in TLS.pm.  I  haven’t tried it yet as I haven’t got a dev setup ready,
> but wonder if that looks sensible.

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] CRL reload question

2013-09-29 Thread Markus Moeller 
Hi,

   I would  expect  something like this:

If error "already in hashtable"

$self->log($main::LOG_ERR, "Free old entray and add new CRL";

loop over objects
my $idx = 0 ?
for (i = $idx ; i< $cert_store->num; i++) {
   my $obj -> $cert_store->data[i];
   if (obj->data.crl == $crl->data.crl) {
   &Net::SSLeay::X509_CRL_free($obj);
   $obj = Net::SSLeay::X509_CRL_new();
   $obj->data.crl = $crl;
   $cert_store->data[i] = $obj;
   break
   }
}

in TLS.pm.  I  haven’t tried it yet as I haven’t got a dev setup ready, but 
wonder if that looks sensible.

Regards
Markus

From: Markus Moeller 
Sent: Sunday, September 29, 2013 1:50 PM
To: radiator@open.com.au 
Subject: Re: [RADIATOR] CRL reload question

Hi,

   Looking at NET-SSLeay-1.55 I found there are now more low level CRL 
functions Low level API- X509_CRL_- related functions.  Are they or will they 
be included in a newer Radiator release to clear a CRL and re-load it correctly 
without server restart ?

Thank you
Markus

From: Markus Moeller 
Sent: Saturday, September 28, 2013 2:55 PM
To: radiator@open.com.au 
Subject: Re: [RADIATOR] CRL reload question

And openssl is 0.9.8x.

From: Markus Moeller 
Sent: Saturday, September 28, 2013 2:45 PM
To: radiator@open.com.au 
Subject: Re: [RADIATOR] CRL reload question

I forgot to say that I use Radiator 4.9

Markus

From: Markus Moeller 
Sent: Saturday, September 28, 2013 2:30 PM
To: radiator@open.com.au 
Subject: [RADIATOR] CRL reload question

Hi,

  I have a setup for EAP TLS using CRLs and have the problem that  an updated 
CRL is not correctly re-read in some particular situations when the CRL was 
expired for a moment.  The setup is as follows:




  Identifier EapTLS
  # the file is used to check usernames (assuming EAP-TLS certificate checks 
pass):
  Filename %D/wlan_users
  EAPType TLS

  # WLAN Additional Certificate Check
  EAPTLS_CertificateVerifyHook file:"%D/hooks/check.pl"

  # WLAN root CAs
  EAPTLS_CAFile %{GlobalVar:CertsDir}/all-CAs.pem

  EAPTLS_CertificateType PEM

  # Radiator Cert
  EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server_cert.pem
  # Radiator private key
  EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server_cert.key

  EAPTLS_MaxFragmentSize 1000

  EAPTLS_CRLCheck
  EAPTLS_CRLFile %{GlobalVar:CertsDir}/CA-crl.pem

  AutoMPPEKeys




Usually when a client connects I get: 

Wed Sep 18 07:46:04 2013: DEBUG: (Re)loading CRL file 
'/var/opt/certs/CA-crl.pem'
Wed Sep 18 07:46:04 2013: ERR: Failed to add CRL file 
'/var/opt/certs/CA-crl.pem': error:0B07D065:x509 certificate 
routines:X509_STORE_add_crl:cert already in hash table

which despite the error seem to read any updated CRL. ( Or do I have this wrong 
? Is this only because it reads the same CRL not an updated CRL) 

Now the CRL is downloaded on an hourly basis and in the situation where the CRL 
expired during that hour and a client connects I get the error

CRL has expired,  7159: 1 - error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

which I expect, but I would also think that after the new CRL is downloaded 
(latest an hour after expiry)  the new update CRL should be loaded. If not what 
would be the recommended way to read a new/updated CRL ?

Thank you
Markus






___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator



___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator



___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator



___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] CRL reload question

2013-09-29 Thread Markus Moeller 
Hi,

   Looking at NET-SSLeay-1.55 I found there are now more low level CRL 
functions Low level API- X509_CRL_- related functions.  Are they or will they 
be included in a newer Radiator release to clear a CRL and re-load it correctly 
without server restart ?

Thank you
Markus

From: Markus Moeller 
Sent: Saturday, September 28, 2013 2:55 PM
To: radiator@open.com.au 
Subject: Re: [RADIATOR] CRL reload question

And openssl is 0.9.8x.

From: Markus Moeller 
Sent: Saturday, September 28, 2013 2:45 PM
To: radiator@open.com.au 
Subject: Re: [RADIATOR] CRL reload question

I forgot to say that I use Radiator 4.9

Markus

From: Markus Moeller 
Sent: Saturday, September 28, 2013 2:30 PM
To: radiator@open.com.au 
Subject: [RADIATOR] CRL reload question

Hi,

  I have a setup for EAP TLS using CRLs and have the problem that  an updated 
CRL is not correctly re-read in some particular situations when the CRL was 
expired for a moment.  The setup is as follows:




  Identifier EapTLS
  # the file is used to check usernames (assuming EAP-TLS certificate checks 
pass):
  Filename %D/wlan_users
  EAPType TLS

  # WLAN Additional Certificate Check
  EAPTLS_CertificateVerifyHook file:"%D/hooks/check.pl"

  # WLAN root CAs
  EAPTLS_CAFile %{GlobalVar:CertsDir}/all-CAs.pem

  EAPTLS_CertificateType PEM

  # Radiator Cert
  EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server_cert.pem
  # Radiator private key
  EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server_cert.key

  EAPTLS_MaxFragmentSize 1000

  EAPTLS_CRLCheck
  EAPTLS_CRLFile %{GlobalVar:CertsDir}/CA-crl.pem

  AutoMPPEKeys




Usually when a client connects I get: 

Wed Sep 18 07:46:04 2013: DEBUG: (Re)loading CRL file 
'/var/opt/certs/CA-crl.pem'
Wed Sep 18 07:46:04 2013: ERR: Failed to add CRL file 
'/var/opt/certs/CA-crl.pem': error:0B07D065:x509 certificate 
routines:X509_STORE_add_crl:cert already in hash table

which despite the error seem to read any updated CRL. ( Or do I have this wrong 
? Is this only because it reads the same CRL not an updated CRL) 

Now the CRL is downloaded on an hourly basis and in the situation where the CRL 
expired during that hour and a client connects I get the error

CRL has expired,  7159: 1 - error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

which I expect, but I would also think that after the new CRL is downloaded 
(latest an hour after expiry)  the new update CRL should be loaded. If not what 
would be the recommended way to read a new/updated CRL ?

Thank you
Markus






___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator



___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator



___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] CRL reload question

2013-09-28 Thread Markus Moeller 
And openssl is 0.9.8x.

From: Markus Moeller 
Sent: Saturday, September 28, 2013 2:45 PM
To: radiator@open.com.au 
Subject: Re: [RADIATOR] CRL reload question

I forgot to say that I use Radiator 4.9

Markus

From: Markus Moeller 
Sent: Saturday, September 28, 2013 2:30 PM
To: radiator@open.com.au 
Subject: [RADIATOR] CRL reload question

Hi,

  I have a setup for EAP TLS using CRLs and have the problem that  an updated 
CRL is not correctly re-read in some particular situations when the CRL was 
expired for a moment.  The setup is as follows:




  Identifier EapTLS
  # the file is used to check usernames (assuming EAP-TLS certificate checks 
pass):
  Filename %D/wlan_users
  EAPType TLS

  # WLAN Additional Certificate Check
  EAPTLS_CertificateVerifyHook file:"%D/hooks/check.pl"

  # WLAN root CAs
  EAPTLS_CAFile %{GlobalVar:CertsDir}/all-CAs.pem

  EAPTLS_CertificateType PEM

  # Radiator Cert
  EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server_cert.pem
  # Radiator private key
  EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server_cert.key

  EAPTLS_MaxFragmentSize 1000

  EAPTLS_CRLCheck
  EAPTLS_CRLFile %{GlobalVar:CertsDir}/CA-crl.pem

  AutoMPPEKeys




Usually when a client connects I get: 

Wed Sep 18 07:46:04 2013: DEBUG: (Re)loading CRL file 
'/var/opt/certs/CA-crl.pem'
Wed Sep 18 07:46:04 2013: ERR: Failed to add CRL file 
'/var/opt/certs/CA-crl.pem': error:0B07D065:x509 certificate 
routines:X509_STORE_add_crl:cert already in hash table

which despite the error seem to read any updated CRL. ( Or do I have this wrong 
? Is this only because it reads the same CRL not an updated CRL) 

Now the CRL is downloaded on an hourly basis and in the situation where the CRL 
expired during that hour and a client connects I get the error

CRL has expired,  7159: 1 - error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

which I expect, but I would also think that after the new CRL is downloaded 
(latest an hour after expiry)  the new update CRL should be loaded. If not what 
would be the recommended way to read a new/updated CRL ?

Thank you
Markus






___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator



___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] CRL reload question

2013-09-28 Thread Markus Moeller 
I forgot to say that I use Radiator 4.9

Markus

From: Markus Moeller 
Sent: Saturday, September 28, 2013 2:30 PM
To: radiator@open.com.au 
Subject: [RADIATOR] CRL reload question

Hi,

  I have a setup for EAP TLS using CRLs and have the problem that  an updated 
CRL is not correctly re-read in some particular situations when the CRL was 
expired for a moment.  The setup is as follows:




  Identifier EapTLS
  # the file is used to check usernames (assuming EAP-TLS certificate checks 
pass):
  Filename %D/wlan_users
  EAPType TLS

  # WLAN Additional Certificate Check
  EAPTLS_CertificateVerifyHook file:"%D/hooks/check.pl"

  # WLAN root CAs
  EAPTLS_CAFile %{GlobalVar:CertsDir}/all-CAs.pem

  EAPTLS_CertificateType PEM

  # Radiator Cert
  EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server_cert.pem
  # Radiator private key
  EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server_cert.key

  EAPTLS_MaxFragmentSize 1000

  EAPTLS_CRLCheck
  EAPTLS_CRLFile %{GlobalVar:CertsDir}/CA-crl.pem

  AutoMPPEKeys




Usually when a client connects I get: 

Wed Sep 18 07:46:04 2013: DEBUG: (Re)loading CRL file 
'/var/opt/certs/CA-crl.pem'
Wed Sep 18 07:46:04 2013: ERR: Failed to add CRL file 
'/var/opt/certs/CA-crl.pem': error:0B07D065:x509 certificate 
routines:X509_STORE_add_crl:cert already in hash table

which despite the error seem to read any updated CRL. ( Or do I have this wrong 
? Is this only because it reads the same CRL not an updated CRL) 

Now the CRL is downloaded on an hourly basis and in the situation where the CRL 
expired during that hour and a client connects I get the error

CRL has expired,  7159: 1 - error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

which I expect, but I would also think that after the new CRL is downloaded 
(latest an hour after expiry)  the new update CRL should be loaded. If not what 
would be the recommended way to read a new/updated CRL ?

Thank you
Markus






___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator