Re: [RADIATOR] CRL reload question
On 10/31/2013 10:16 AM, Hartmaier Alexander wrote: > This is a more human friendly output: > > /$path/to/perl/used/by/radiator/perl -MNet::SSLeay -E 'say > Net::SSLeay::SSLeay_version()' I'd say it's a good idea to try both: this will tell if the perl run manually uses the same components as the perl that runs Radiator. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CRL reload question
This is a more human friendly output: /$path/to/perl/used/by/radiator/perl -MNet::SSLeay -E 'say Net::SSLeay::SSLeay_version()' On 2013-10-30 23:25, Markus Moeller wrote: > Hi Heikki, > >Thank you for that. Despite my attempts to use the latest static openssl > library I used an old one :-(. I will retest. > > Markus > > -Original Message- > From: Heikki Vatiainen > Sent: Wednesday, October 30, 2013 9:20 PM > To: Markus Moeller ; radiator@open.com.au > Subject: Re: [RADIATOR] CRL reload question > > On 10/30/2013 10:39 PM, Markus Moeller wrote: > >> I have linked it statically to avoid mixup with system libraries. There >> is no way to check it in another way is there ? > If you have Net::SSLeay newer than 1.42, try putting this in Radiator > configuration: > > StartupHook sub { use Net::SSLeay; main::log($main::LOG_INFO, \ > "SSL version: " . \ > sprintf("0x%x", Net::SSLeay::SSLeay())); } > > You should find something like this from Radiator logs: > >INFO: SSL version: 0x1000100f > > See this for more info: > http://search.cpan.org/~mikem/Net-SSLeay-1.55/lib/Net/SSLeay.pod#Low_level_API:_Version_related_functions > > Thanks, > Heikki > > >> Markus >> >> -Original Message- From: Heikki Vatiainen >> Sent: Wednesday, October 30, 2013 5:11 PM >> To: Markus Moeller ; radiator@open.com.au >> Subject: Re: [RADIATOR] CRL reload question >> >> On 10/29/2013 12:41 AM, Markus Moeller wrote: >> >>> I still get the same error with openssl 1.0.1. The CRL on disk is new, >>> but radiator says CRL is expired. Radiator also gives a reload CRL error >>> saying the CRL alredy exists. >> Hello Markus, >> >> can you do one more test? Check with 'ldd >> /path/to/auto/Net/SSLeay/SSLeay.so' that it links against the OpenSSL >> libs you expect it to. >> >> Thanks, >> Heikki >> >>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file >>> '/opt/radiator/etc/certs/crls/User_CA_1.pem' >>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file >>> '/opt/radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509 >>> certificate routines:X509_STORE_add_crl:cert already in hash table >>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file >>> '/opt/radiator/etc/certs/crls/User_CA_2.pem' >>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file >>> '/opt/radiator/etc/certs/crls/User_CA_2.pem': error:0B07D065:x509 >>> certificate routines:X509_STORE_add_crl:cert already in hash table >>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file >>> '/opt/radiator/etc/certs/crls/User_CA_4.pem' >>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file >>> '/opt/radiator/etc/certs/crls/User_CA_4.pem': error:0B07D065:x509 >>> certificate routines:X509_STORE_add_crl:cert already in hash table >>> Mon Oct 28 22:20:52 2013: INFO: EAP TLS certificate verification failed: >>> CRL has expired, 19868: 1 - error:140890B2:SSL >>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned >>> Mon Oct 28 22:21:23 2013: INFO: EAP TLS certificate verification failed: >>> CRL has expired, 19868: 1 - error:140890B2:SSL >>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned >>> >>> # ls -al User_CA_2.pem >>> -rwxrwxrwx 1 root root 70699 Oct 28 21:55 User_CA_2.pem >>> >>> # /usr/sfw/bin/openssl crl -in User_CA_2.pem -noout -lastupdate >>> -nextupdate >>> lastUpdate=Oct 28 19:26:37 2013 GMT >>> nextUpdate=Nov 11 19:26:37 2013 GMT >>> >>> >>> >>> Markus >>> >>> -Original Message- From: Markus Moeller >>> Sent: Monday, September 30, 2013 10:50 PM >>> To: Heikki Vatiainen ; radiator@open.com.au >>> Subject: Re: [RADIATOR] CRL reload question >>> >>> Hi Heikki, >>> >>> OK I'll try with a later 1.x version. >>> >>> Thank you >>> Markus >>> >>> -Original Message- From: Heikki Vatiainen >>> Sent: Monday, September 30, 2013 10:18 PM >>> To: radiator@open.com.au >>> Subject: Re: [RADIATOR] CRL reload question >>> >>> On 09/29/2013 04:52 PM, Markus Moeller wrote: >>> >>>>I would expect something like this: >>>> >>>> If error "already in hashtable" >>>> >>>> $self->log($
Re: [RADIATOR] CRL reload question
Hi Heikki, Thank you for that. Despite my attempts to use the latest static openssl library I used an old one :-(. I will retest. Markus -Original Message- From: Heikki Vatiainen Sent: Wednesday, October 30, 2013 9:20 PM To: Markus Moeller ; radiator@open.com.au Subject: Re: [RADIATOR] CRL reload question On 10/30/2013 10:39 PM, Markus Moeller wrote: > I have linked it statically to avoid mixup with system libraries. There > is no way to check it in another way is there ? If you have Net::SSLeay newer than 1.42, try putting this in Radiator configuration: StartupHook sub { use Net::SSLeay; main::log($main::LOG_INFO, \ "SSL version: " . \ sprintf("0x%x", Net::SSLeay::SSLeay())); } You should find something like this from Radiator logs: INFO: SSL version: 0x1000100f See this for more info: http://search.cpan.org/~mikem/Net-SSLeay-1.55/lib/Net/SSLeay.pod#Low_level_API:_Version_related_functions Thanks, Heikki > Markus > > -Original Message- From: Heikki Vatiainen > Sent: Wednesday, October 30, 2013 5:11 PM > To: Markus Moeller ; radiator@open.com.au > Subject: Re: [RADIATOR] CRL reload question > > On 10/29/2013 12:41 AM, Markus Moeller wrote: > >> I still get the same error with openssl 1.0.1. The CRL on disk is new, >> but radiator says CRL is expired. Radiator also gives a reload CRL error >> saying the CRL alredy exists. > > Hello Markus, > > can you do one more test? Check with 'ldd > /path/to/auto/Net/SSLeay/SSLeay.so' that it links against the OpenSSL > libs you expect it to. > > Thanks, > Heikki > >> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file >> '/opt/radiator/etc/certs/crls/User_CA_1.pem' >> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file >> '/opt/radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509 >> certificate routines:X509_STORE_add_crl:cert already in hash table >> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file >> '/opt/radiator/etc/certs/crls/User_CA_2.pem' >> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file >> '/opt/radiator/etc/certs/crls/User_CA_2.pem': error:0B07D065:x509 >> certificate routines:X509_STORE_add_crl:cert already in hash table >> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file >> '/opt/radiator/etc/certs/crls/User_CA_4.pem' >> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file >> '/opt/radiator/etc/certs/crls/User_CA_4.pem': error:0B07D065:x509 >> certificate routines:X509_STORE_add_crl:cert already in hash table >> Mon Oct 28 22:20:52 2013: INFO: EAP TLS certificate verification failed: >> CRL has expired, 19868: 1 - error:140890B2:SSL >> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned >> Mon Oct 28 22:21:23 2013: INFO: EAP TLS certificate verification failed: >> CRL has expired, 19868: 1 - error:140890B2:SSL >> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned >> >> # ls -al User_CA_2.pem >> -rwxrwxrwx 1 root root 70699 Oct 28 21:55 User_CA_2.pem >> >> # /usr/sfw/bin/openssl crl -in User_CA_2.pem -noout -lastupdate >> -nextupdate >> lastUpdate=Oct 28 19:26:37 2013 GMT >> nextUpdate=Nov 11 19:26:37 2013 GMT >> >> >> >> Markus >> >> -Original Message- From: Markus Moeller >> Sent: Monday, September 30, 2013 10:50 PM >> To: Heikki Vatiainen ; radiator@open.com.au >> Subject: Re: [RADIATOR] CRL reload question >> >> Hi Heikki, >> >> OK I'll try with a later 1.x version. >> >> Thank you >> Markus >> >> -Original Message- From: Heikki Vatiainen >> Sent: Monday, September 30, 2013 10:18 PM >> To: radiator@open.com.au >> Subject: Re: [RADIATOR] CRL reload question >> >> On 09/29/2013 04:52 PM, Markus Moeller wrote: >> >>>I would expect something like this: >>> >>> If error "already in hashtable" >>> >>> $self->log($main::LOG_ERR, "Free old entray and add new CRL"; >>> >> >> Hello Markus, >> >> we have not looked at CRL reloading lately so I can not tell if the new >> functions would help with CRL reloading. However, a quick look at >> OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently >> in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x >> and 1.0.0 look promising (OpenSSL changelog): >> >> *) Allow multiple CRLs to exist in an X509_STORE with matching issuer >> names. >> Modify get_crl() to find a valid (unexpired) CRL i
Re: [RADIATOR] CRL reload question
On 10/30/2013 10:39 PM, Markus Moeller wrote: > I have linked it statically to avoid mixup with system libraries. There > is no way to check it in another way is there ? If you have Net::SSLeay newer than 1.42, try putting this in Radiator configuration: StartupHook sub { use Net::SSLeay; main::log($main::LOG_INFO, \ "SSL version: " . \ sprintf("0x%x", Net::SSLeay::SSLeay())); } You should find something like this from Radiator logs: INFO: SSL version: 0x1000100f See this for more info: http://search.cpan.org/~mikem/Net-SSLeay-1.55/lib/Net/SSLeay.pod#Low_level_API:_Version_related_functions Thanks, Heikki > Markus > > -Original Message- From: Heikki Vatiainen > Sent: Wednesday, October 30, 2013 5:11 PM > To: Markus Moeller ; radiator@open.com.au > Subject: Re: [RADIATOR] CRL reload question > > On 10/29/2013 12:41 AM, Markus Moeller wrote: > >> I still get the same error with openssl 1.0.1. The CRL on disk is new, >> but radiator says CRL is expired. Radiator also gives a reload CRL error >> saying the CRL alredy exists. > > Hello Markus, > > can you do one more test? Check with 'ldd > /path/to/auto/Net/SSLeay/SSLeay.so' that it links against the OpenSSL > libs you expect it to. > > Thanks, > Heikki > >> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file >> '/opt/radiator/etc/certs/crls/User_CA_1.pem' >> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file >> '/opt/radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509 >> certificate routines:X509_STORE_add_crl:cert already in hash table >> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file >> '/opt/radiator/etc/certs/crls/User_CA_2.pem' >> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file >> '/opt/radiator/etc/certs/crls/User_CA_2.pem': error:0B07D065:x509 >> certificate routines:X509_STORE_add_crl:cert already in hash table >> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file >> '/opt/radiator/etc/certs/crls/User_CA_4.pem' >> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file >> '/opt/radiator/etc/certs/crls/User_CA_4.pem': error:0B07D065:x509 >> certificate routines:X509_STORE_add_crl:cert already in hash table >> Mon Oct 28 22:20:52 2013: INFO: EAP TLS certificate verification failed: >> CRL has expired, 19868: 1 - error:140890B2:SSL >> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned >> Mon Oct 28 22:21:23 2013: INFO: EAP TLS certificate verification failed: >> CRL has expired, 19868: 1 - error:140890B2:SSL >> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned >> >> # ls -al User_CA_2.pem >> -rwxrwxrwx 1 root root 70699 Oct 28 21:55 User_CA_2.pem >> >> # /usr/sfw/bin/openssl crl -in User_CA_2.pem -noout -lastupdate >> -nextupdate >> lastUpdate=Oct 28 19:26:37 2013 GMT >> nextUpdate=Nov 11 19:26:37 2013 GMT >> >> >> >> Markus >> >> -Original Message- From: Markus Moeller >> Sent: Monday, September 30, 2013 10:50 PM >> To: Heikki Vatiainen ; radiator@open.com.au >> Subject: Re: [RADIATOR] CRL reload question >> >> Hi Heikki, >> >> OK I'll try with a later 1.x version. >> >> Thank you >> Markus >> >> -Original Message- From: Heikki Vatiainen >> Sent: Monday, September 30, 2013 10:18 PM >> To: radiator@open.com.au >> Subject: Re: [RADIATOR] CRL reload question >> >> On 09/29/2013 04:52 PM, Markus Moeller wrote: >> >>>I would expect something like this: >>> >>> If error "already in hashtable" >>> >>> $self->log($main::LOG_ERR, "Free old entray and add new CRL"; >>> >> >> Hello Markus, >> >> we have not looked at CRL reloading lately so I can not tell if the new >> functions would help with CRL reloading. However, a quick look at >> OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently >> in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x >> and 1.0.0 look promising (OpenSSL changelog): >> >> *) Allow multiple CRLs to exist in an X509_STORE with matching issuer >> names. >> Modify get_crl() to find a valid (unexpired) CRL if possible. >> [Steve Henson] >> >> *) New function X509_CRL_match() to check if two CRLs are identical. >> Normally >> this would be called X509_CRL_cmp() but that name is already used by >> a function that just compares CRL issuer names. Cache several CRL >>
Re: [RADIATOR] CRL reload question
Hi Heikki, I have linked it statically to avoid mixup with system libraries. There is no way to check it in another way is there ? Markus -Original Message- From: Heikki Vatiainen Sent: Wednesday, October 30, 2013 5:11 PM To: Markus Moeller ; radiator@open.com.au Subject: Re: [RADIATOR] CRL reload question On 10/29/2013 12:41 AM, Markus Moeller wrote: > I still get the same error with openssl 1.0.1. The CRL on disk is new, > but radiator says CRL is expired. Radiator also gives a reload CRL error > saying the CRL alredy exists. Hello Markus, can you do one more test? Check with 'ldd /path/to/auto/Net/SSLeay/SSLeay.so' that it links against the OpenSSL libs you expect it to. Thanks, Heikki > Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file > '/opt/radiator/etc/certs/crls/User_CA_1.pem' > Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file > '/opt/radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509 > certificate routines:X509_STORE_add_crl:cert already in hash table > Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file > '/opt/radiator/etc/certs/crls/User_CA_2.pem' > Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file > '/opt/radiator/etc/certs/crls/User_CA_2.pem': error:0B07D065:x509 > certificate routines:X509_STORE_add_crl:cert already in hash table > Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file > '/opt/radiator/etc/certs/crls/User_CA_4.pem' > Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file > '/opt/radiator/etc/certs/crls/User_CA_4.pem': error:0B07D065:x509 > certificate routines:X509_STORE_add_crl:cert already in hash table > Mon Oct 28 22:20:52 2013: INFO: EAP TLS certificate verification failed: > CRL has expired, 19868: 1 - error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned > Mon Oct 28 22:21:23 2013: INFO: EAP TLS certificate verification failed: > CRL has expired, 19868: 1 - error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned > > # ls -al User_CA_2.pem > -rwxrwxrwx 1 root root 70699 Oct 28 21:55 User_CA_2.pem > > # /usr/sfw/bin/openssl crl -in > User_CA_2.pem -noout -lastupdate -nextupdate > lastUpdate=Oct 28 19:26:37 2013 GMT > nextUpdate=Nov 11 19:26:37 2013 GMT > > > > Markus > > -Original Message- From: Markus Moeller > Sent: Monday, September 30, 2013 10:50 PM > To: Heikki Vatiainen ; radiator@open.com.au > Subject: Re: [RADIATOR] CRL reload question > > Hi Heikki, > > OK I'll try with a later 1.x version. > > Thank you > Markus > > -Original Message- From: Heikki Vatiainen > Sent: Monday, September 30, 2013 10:18 PM > To: radiator@open.com.au > Subject: Re: [RADIATOR] CRL reload question > > On 09/29/2013 04:52 PM, Markus Moeller wrote: > >>I would expect something like this: >> >> If error "already in hashtable" >> >> $self->log($main::LOG_ERR, "Free old entray and add new CRL"; >> > > Hello Markus, > > we have not looked at CRL reloading lately so I can not tell if the new > functions would help with CRL reloading. However, a quick look at > OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently > in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x > and 1.0.0 look promising (OpenSSL changelog): > > *) Allow multiple CRLs to exist in an X509_STORE with matching issuer > names. > Modify get_crl() to find a valid (unexpired) CRL if possible. > [Steve Henson] > > *) New function X509_CRL_match() to check if two CRLs are identical. > Normally > this would be called X509_CRL_cmp() but that name is already used by > a function that just compares CRL issuer names. Cache several CRL > extensions in X509_CRL structure and cache CRLDP in X509. > [Steve Henson] > > If you plan to test this, can you see if you get different results with > OpenSSL 1.0.x versions than 0.9.8x? > > Thanks, > Heikki > >> loop over objects >> my $idx = 0 ? >> for (i = $idx ; i< $cert_store->num; i++) { >>my $obj -> $cert_store->data[i]; >>if (obj->data.crl == $crl->data.crl) { >>&Net::SSLeay::X509_CRL_free($obj); >>$obj = Net::SSLeay::X509_CRL_new(); >>$obj->data.crl = $crl; >>$cert_store->data[i] = $obj; >>break >>} >> } >> >> in TLS.pm. I haven’t tried it yet as I haven’t got a dev setup ready, >> but wonder if that looks sensible. > -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CRL reload question
On 10/29/2013 12:41 AM, Markus Moeller wrote: > I still get the same error with openssl 1.0.1. The CRL on disk is new, > but radiator says CRL is expired. Radiator also gives a reload CRL error > saying the CRL alredy exists. Hello Markus, can you do one more test? Check with 'ldd /path/to/auto/Net/SSLeay/SSLeay.so' that it links against the OpenSSL libs you expect it to. Thanks, Heikki > Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file > '/opt/radiator/etc/certs/crls/User_CA_1.pem' > Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file > '/opt/radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509 > certificate routines:X509_STORE_add_crl:cert already in hash table > Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file > '/opt/radiator/etc/certs/crls/User_CA_2.pem' > Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file > '/opt/radiator/etc/certs/crls/User_CA_2.pem': error:0B07D065:x509 > certificate routines:X509_STORE_add_crl:cert already in hash table > Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file > '/opt/radiator/etc/certs/crls/User_CA_4.pem' > Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file > '/opt/radiator/etc/certs/crls/User_CA_4.pem': error:0B07D065:x509 > certificate routines:X509_STORE_add_crl:cert already in hash table > Mon Oct 28 22:20:52 2013: INFO: EAP TLS certificate verification failed: > CRL has expired, 19868: 1 - error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned > Mon Oct 28 22:21:23 2013: INFO: EAP TLS certificate verification failed: > CRL has expired, 19868: 1 - error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned > > # ls -al User_CA_2.pem > -rwxrwxrwx 1 root root 70699 Oct 28 21:55 User_CA_2.pem > > # /usr/sfw/bin/openssl crl -in User_CA_2.pem -noout -lastupdate -nextupdate > lastUpdate=Oct 28 19:26:37 2013 GMT > nextUpdate=Nov 11 19:26:37 2013 GMT > > > > Markus > > -----Original Message- From: Markus Moeller > Sent: Monday, September 30, 2013 10:50 PM > To: Heikki Vatiainen ; radiator@open.com.au > Subject: Re: [RADIATOR] CRL reload question > > Hi Heikki, > > OK I'll try with a later 1.x version. > > Thank you > Markus > > -Original Message- From: Heikki Vatiainen > Sent: Monday, September 30, 2013 10:18 PM > To: radiator@open.com.au > Subject: Re: [RADIATOR] CRL reload question > > On 09/29/2013 04:52 PM, Markus Moeller wrote: > >>I would expect something like this: >> >> If error "already in hashtable" >> >> $self->log($main::LOG_ERR, "Free old entray and add new CRL"; >> > > Hello Markus, > > we have not looked at CRL reloading lately so I can not tell if the new > functions would help with CRL reloading. However, a quick look at > OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently > in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x > and 1.0.0 look promising (OpenSSL changelog): > > *) Allow multiple CRLs to exist in an X509_STORE with matching issuer > names. > Modify get_crl() to find a valid (unexpired) CRL if possible. > [Steve Henson] > > *) New function X509_CRL_match() to check if two CRLs are identical. > Normally > this would be called X509_CRL_cmp() but that name is already used by > a function that just compares CRL issuer names. Cache several CRL > extensions in X509_CRL structure and cache CRLDP in X509. > [Steve Henson] > > If you plan to test this, can you see if you get different results with > OpenSSL 1.0.x versions than 0.9.8x? > > Thanks, > Heikki > >> loop over objects >> my $idx = 0 ? >> for (i = $idx ; i< $cert_store->num; i++) { >>my $obj -> $cert_store->data[i]; >>if (obj->data.crl == $crl->data.crl) { >>&Net::SSLeay::X509_CRL_free($obj); >>$obj = Net::SSLeay::X509_CRL_new(); >>$obj->data.crl = $crl; >>$cert_store->data[i] = $obj; >>break >>} >> } >> >> in TLS.pm. I haven’t tried it yet as I haven’t got a dev setup ready, >> but wonder if that looks sensible. > -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CRL reload question
Hi Heikki, I still get the same error with openssl 1.0.1. The CRL on disk is new, but radiator says CRL is expired. Radiator also gives a reload CRL error saying the CRL alredy exists. Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file '/opt/radiator/etc/certs/crls/User_CA_1.pem' Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file '/opt/radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file '/opt/radiator/etc/certs/crls/User_CA_2.pem' Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file '/opt/radiator/etc/certs/crls/User_CA_2.pem': error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file '/opt/radiator/etc/certs/crls/User_CA_4.pem' Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file '/opt/radiator/etc/certs/crls/User_CA_4.pem': error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table Mon Oct 28 22:20:52 2013: INFO: EAP TLS certificate verification failed: CRL has expired, 19868: 1 - error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Mon Oct 28 22:21:23 2013: INFO: EAP TLS certificate verification failed: CRL has expired, 19868: 1 - error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned # ls -al User_CA_2.pem -rwxrwxrwx 1 root root 70699 Oct 28 21:55 User_CA_2.pem # /usr/sfw/bin/openssl crl -in User_CA_2.pem -noout -lastupdate -nextupdate lastUpdate=Oct 28 19:26:37 2013 GMT nextUpdate=Nov 11 19:26:37 2013 GMT Markus -Original Message- From: Markus Moeller Sent: Monday, September 30, 2013 10:50 PM To: Heikki Vatiainen ; radiator@open.com.au Subject: Re: [RADIATOR] CRL reload question Hi Heikki, OK I'll try with a later 1.x version. Thank you Markus -Original Message- From: Heikki Vatiainen Sent: Monday, September 30, 2013 10:18 PM To: radiator@open.com.au Subject: Re: [RADIATOR] CRL reload question On 09/29/2013 04:52 PM, Markus Moeller wrote: >I would expect something like this: > > If error "already in hashtable" > > $self->log($main::LOG_ERR, "Free old entray and add new CRL"; > Hello Markus, we have not looked at CRL reloading lately so I can not tell if the new functions would help with CRL reloading. However, a quick look at OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x and 1.0.0 look promising (OpenSSL changelog): *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names. Modify get_crl() to find a valid (unexpired) CRL if possible. [Steve Henson] *) New function X509_CRL_match() to check if two CRLs are identical. Normally this would be called X509_CRL_cmp() but that name is already used by a function that just compares CRL issuer names. Cache several CRL extensions in X509_CRL structure and cache CRLDP in X509. [Steve Henson] If you plan to test this, can you see if you get different results with OpenSSL 1.0.x versions than 0.9.8x? Thanks, Heikki > loop over objects > my $idx = 0 ? > for (i = $idx ; i< $cert_store->num; i++) { >my $obj -> $cert_store->data[i]; >if (obj->data.crl == $crl->data.crl) { >&Net::SSLeay::X509_CRL_free($obj); >$obj = Net::SSLeay::X509_CRL_new(); >$obj->data.crl = $crl; >$cert_store->data[i] = $obj; >break >} > } > > in TLS.pm. I haven’t tried it yet as I haven’t got a dev setup ready, > but wonder if that looks sensible. -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CRL reload question
Hi Heikki, OK I'll try with a later 1.x version. Thank you Markus -Original Message- From: Heikki Vatiainen Sent: Monday, September 30, 2013 10:18 PM To: radiator@open.com.au Subject: Re: [RADIATOR] CRL reload question On 09/29/2013 04:52 PM, Markus Moeller wrote: >I would expect something like this: > > If error "already in hashtable" > > $self->log($main::LOG_ERR, "Free old entray and add new CRL"; > Hello Markus, we have not looked at CRL reloading lately so I can not tell if the new functions would help with CRL reloading. However, a quick look at OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x and 1.0.0 look promising (OpenSSL changelog): *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names. Modify get_crl() to find a valid (unexpired) CRL if possible. [Steve Henson] *) New function X509_CRL_match() to check if two CRLs are identical. Normally this would be called X509_CRL_cmp() but that name is already used by a function that just compares CRL issuer names. Cache several CRL extensions in X509_CRL structure and cache CRLDP in X509. [Steve Henson] If you plan to test this, can you see if you get different results with OpenSSL 1.0.x versions than 0.9.8x? Thanks, Heikki > loop over objects > my $idx = 0 ? > for (i = $idx ; i< $cert_store->num; i++) { >my $obj -> $cert_store->data[i]; >if (obj->data.crl == $crl->data.crl) { >&Net::SSLeay::X509_CRL_free($obj); >$obj = Net::SSLeay::X509_CRL_new(); >$obj->data.crl = $crl; >$cert_store->data[i] = $obj; >break >} > } > > in TLS.pm. I haven’t tried it yet as I haven’t got a dev setup ready, > but wonder if that looks sensible. -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CRL reload question
On 09/29/2013 04:52 PM, Markus Moeller wrote: >I would expect something like this: > > If error "already in hashtable" > > $self->log($main::LOG_ERR, "Free old entray and add new CRL"; > Hello Markus, we have not looked at CRL reloading lately so I can not tell if the new functions would help with CRL reloading. However, a quick look at OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x and 1.0.0 look promising (OpenSSL changelog): *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names. Modify get_crl() to find a valid (unexpired) CRL if possible. [Steve Henson] *) New function X509_CRL_match() to check if two CRLs are identical. Normally this would be called X509_CRL_cmp() but that name is already used by a function that just compares CRL issuer names. Cache several CRL extensions in X509_CRL structure and cache CRLDP in X509. [Steve Henson] If you plan to test this, can you see if you get different results with OpenSSL 1.0.x versions than 0.9.8x? Thanks, Heikki > loop over objects > my $idx = 0 ? > for (i = $idx ; i< $cert_store->num; i++) { >my $obj -> $cert_store->data[i]; >if (obj->data.crl == $crl->data.crl) { >&Net::SSLeay::X509_CRL_free($obj); >$obj = Net::SSLeay::X509_CRL_new(); >$obj->data.crl = $crl; >$cert_store->data[i] = $obj; >break >} > } > > in TLS.pm. I haven’t tried it yet as I haven’t got a dev setup ready, > but wonder if that looks sensible. -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CRL reload question
Hi, I would expect something like this: If error "already in hashtable" $self->log($main::LOG_ERR, "Free old entray and add new CRL"; loop over objects my $idx = 0 ? for (i = $idx ; i< $cert_store->num; i++) { my $obj -> $cert_store->data[i]; if (obj->data.crl == $crl->data.crl) { &Net::SSLeay::X509_CRL_free($obj); $obj = Net::SSLeay::X509_CRL_new(); $obj->data.crl = $crl; $cert_store->data[i] = $obj; break } } in TLS.pm. I haven’t tried it yet as I haven’t got a dev setup ready, but wonder if that looks sensible. Regards Markus From: Markus Moeller Sent: Sunday, September 29, 2013 1:50 PM To: radiator@open.com.au Subject: Re: [RADIATOR] CRL reload question Hi, Looking at NET-SSLeay-1.55 I found there are now more low level CRL functions Low level API- X509_CRL_- related functions. Are they or will they be included in a newer Radiator release to clear a CRL and re-load it correctly without server restart ? Thank you Markus From: Markus Moeller Sent: Saturday, September 28, 2013 2:55 PM To: radiator@open.com.au Subject: Re: [RADIATOR] CRL reload question And openssl is 0.9.8x. From: Markus Moeller Sent: Saturday, September 28, 2013 2:45 PM To: radiator@open.com.au Subject: Re: [RADIATOR] CRL reload question I forgot to say that I use Radiator 4.9 Markus From: Markus Moeller Sent: Saturday, September 28, 2013 2:30 PM To: radiator@open.com.au Subject: [RADIATOR] CRL reload question Hi, I have a setup for EAP TLS using CRLs and have the problem that an updated CRL is not correctly re-read in some particular situations when the CRL was expired for a moment. The setup is as follows: Identifier EapTLS # the file is used to check usernames (assuming EAP-TLS certificate checks pass): Filename %D/wlan_users EAPType TLS # WLAN Additional Certificate Check EAPTLS_CertificateVerifyHook file:"%D/hooks/check.pl" # WLAN root CAs EAPTLS_CAFile %{GlobalVar:CertsDir}/all-CAs.pem EAPTLS_CertificateType PEM # Radiator Cert EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server_cert.pem # Radiator private key EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server_cert.key EAPTLS_MaxFragmentSize 1000 EAPTLS_CRLCheck EAPTLS_CRLFile %{GlobalVar:CertsDir}/CA-crl.pem AutoMPPEKeys Usually when a client connects I get: Wed Sep 18 07:46:04 2013: DEBUG: (Re)loading CRL file '/var/opt/certs/CA-crl.pem' Wed Sep 18 07:46:04 2013: ERR: Failed to add CRL file '/var/opt/certs/CA-crl.pem': error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table which despite the error seem to read any updated CRL. ( Or do I have this wrong ? Is this only because it reads the same CRL not an updated CRL) Now the CRL is downloaded on an hourly basis and in the situation where the CRL expired during that hour and a client connects I get the error CRL has expired, 7159: 1 - error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned which I expect, but I would also think that after the new CRL is downloaded (latest an hour after expiry) the new update CRL should be loaded. If not what would be the recommended way to read a new/updated CRL ? Thank you Markus ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CRL reload question
Hi, Looking at NET-SSLeay-1.55 I found there are now more low level CRL functions Low level API- X509_CRL_- related functions. Are they or will they be included in a newer Radiator release to clear a CRL and re-load it correctly without server restart ? Thank you Markus From: Markus Moeller Sent: Saturday, September 28, 2013 2:55 PM To: radiator@open.com.au Subject: Re: [RADIATOR] CRL reload question And openssl is 0.9.8x. From: Markus Moeller Sent: Saturday, September 28, 2013 2:45 PM To: radiator@open.com.au Subject: Re: [RADIATOR] CRL reload question I forgot to say that I use Radiator 4.9 Markus From: Markus Moeller Sent: Saturday, September 28, 2013 2:30 PM To: radiator@open.com.au Subject: [RADIATOR] CRL reload question Hi, I have a setup for EAP TLS using CRLs and have the problem that an updated CRL is not correctly re-read in some particular situations when the CRL was expired for a moment. The setup is as follows: Identifier EapTLS # the file is used to check usernames (assuming EAP-TLS certificate checks pass): Filename %D/wlan_users EAPType TLS # WLAN Additional Certificate Check EAPTLS_CertificateVerifyHook file:"%D/hooks/check.pl" # WLAN root CAs EAPTLS_CAFile %{GlobalVar:CertsDir}/all-CAs.pem EAPTLS_CertificateType PEM # Radiator Cert EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server_cert.pem # Radiator private key EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server_cert.key EAPTLS_MaxFragmentSize 1000 EAPTLS_CRLCheck EAPTLS_CRLFile %{GlobalVar:CertsDir}/CA-crl.pem AutoMPPEKeys Usually when a client connects I get: Wed Sep 18 07:46:04 2013: DEBUG: (Re)loading CRL file '/var/opt/certs/CA-crl.pem' Wed Sep 18 07:46:04 2013: ERR: Failed to add CRL file '/var/opt/certs/CA-crl.pem': error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table which despite the error seem to read any updated CRL. ( Or do I have this wrong ? Is this only because it reads the same CRL not an updated CRL) Now the CRL is downloaded on an hourly basis and in the situation where the CRL expired during that hour and a client connects I get the error CRL has expired, 7159: 1 - error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned which I expect, but I would also think that after the new CRL is downloaded (latest an hour after expiry) the new update CRL should be loaded. If not what would be the recommended way to read a new/updated CRL ? Thank you Markus ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CRL reload question
And openssl is 0.9.8x. From: Markus Moeller Sent: Saturday, September 28, 2013 2:45 PM To: radiator@open.com.au Subject: Re: [RADIATOR] CRL reload question I forgot to say that I use Radiator 4.9 Markus From: Markus Moeller Sent: Saturday, September 28, 2013 2:30 PM To: radiator@open.com.au Subject: [RADIATOR] CRL reload question Hi, I have a setup for EAP TLS using CRLs and have the problem that an updated CRL is not correctly re-read in some particular situations when the CRL was expired for a moment. The setup is as follows: Identifier EapTLS # the file is used to check usernames (assuming EAP-TLS certificate checks pass): Filename %D/wlan_users EAPType TLS # WLAN Additional Certificate Check EAPTLS_CertificateVerifyHook file:"%D/hooks/check.pl" # WLAN root CAs EAPTLS_CAFile %{GlobalVar:CertsDir}/all-CAs.pem EAPTLS_CertificateType PEM # Radiator Cert EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server_cert.pem # Radiator private key EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server_cert.key EAPTLS_MaxFragmentSize 1000 EAPTLS_CRLCheck EAPTLS_CRLFile %{GlobalVar:CertsDir}/CA-crl.pem AutoMPPEKeys Usually when a client connects I get: Wed Sep 18 07:46:04 2013: DEBUG: (Re)loading CRL file '/var/opt/certs/CA-crl.pem' Wed Sep 18 07:46:04 2013: ERR: Failed to add CRL file '/var/opt/certs/CA-crl.pem': error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table which despite the error seem to read any updated CRL. ( Or do I have this wrong ? Is this only because it reads the same CRL not an updated CRL) Now the CRL is downloaded on an hourly basis and in the situation where the CRL expired during that hour and a client connects I get the error CRL has expired, 7159: 1 - error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned which I expect, but I would also think that after the new CRL is downloaded (latest an hour after expiry) the new update CRL should be loaded. If not what would be the recommended way to read a new/updated CRL ? Thank you Markus ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CRL reload question
I forgot to say that I use Radiator 4.9 Markus From: Markus Moeller Sent: Saturday, September 28, 2013 2:30 PM To: radiator@open.com.au Subject: [RADIATOR] CRL reload question Hi, I have a setup for EAP TLS using CRLs and have the problem that an updated CRL is not correctly re-read in some particular situations when the CRL was expired for a moment. The setup is as follows: Identifier EapTLS # the file is used to check usernames (assuming EAP-TLS certificate checks pass): Filename %D/wlan_users EAPType TLS # WLAN Additional Certificate Check EAPTLS_CertificateVerifyHook file:"%D/hooks/check.pl" # WLAN root CAs EAPTLS_CAFile %{GlobalVar:CertsDir}/all-CAs.pem EAPTLS_CertificateType PEM # Radiator Cert EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server_cert.pem # Radiator private key EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server_cert.key EAPTLS_MaxFragmentSize 1000 EAPTLS_CRLCheck EAPTLS_CRLFile %{GlobalVar:CertsDir}/CA-crl.pem AutoMPPEKeys Usually when a client connects I get: Wed Sep 18 07:46:04 2013: DEBUG: (Re)loading CRL file '/var/opt/certs/CA-crl.pem' Wed Sep 18 07:46:04 2013: ERR: Failed to add CRL file '/var/opt/certs/CA-crl.pem': error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table which despite the error seem to read any updated CRL. ( Or do I have this wrong ? Is this only because it reads the same CRL not an updated CRL) Now the CRL is downloaded on an hourly basis and in the situation where the CRL expired during that hour and a client connects I get the error CRL has expired, 7159: 1 - error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned which I expect, but I would also think that after the new CRL is downloaded (latest an hour after expiry) the new update CRL should be loaded. If not what would be the recommended way to read a new/updated CRL ? Thank you Markus ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator