[no subject]

["Jeremy Pastin" <jpastin@firstindustrial.com>]

Title: Message

I am trying to set up EAP-TLS using FreeRadius, and I am using EJBCA to sign my certs.  I have been able to get everything to work correctly except the CRL.  I have created a directory /usr/local/etc/raddb/certs/crls where I am storing my CRL info.  In this directory I have the certificate chain of the signing CA (in pem format) and the latest CRL for that CA (also in pem format).  After the CRL is copied into this directory I execute c_rehash on the directory and everything runs fine.  When I run radiusd, however, all attempts to authenticate are denied.  The pertinent portion of the output from radiusd -X -A is :

 

   

rlm_eap_tls: <<< TLS 1.0 Handshake [length 07b8], Certificate

--> verify error:num=8:CRL signature failure

rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error

TLS Alert write:fatal:decrypt error

TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.

 

 

This seems to tell me that FreeRadius cannot verify the CRL against the CA cert.  However, when I run:

    openssl crl -in my-crl.pem -inform PEM -CAfile my-cacert.pem -issuer -lastupdate -nextupdate -noout

it returns verify OK and the correct info on issuer and update times.

 

Also when I run:

    openssl verify -CApath ./ -crl_check test.pem

it behaves as expected. 

 

Any Ideas?

 

Jeremy Pastin

 

helpdesk@firstindustrial.com

312-344-4444

 

First Industrial Realty Trust, Inc.

311 S Wacker Dr

Chicago, IL 60606

 

Phone:  312-344-4425

Fax:  312-895-9425