dynamic CRL
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Aug 11 21:02:12 CEST 2011
On 11 Aug 2011, at 20:46, Travis Dimmig wrote:
>> Travis Dimmig wrote:
>>> Apologies ahead of time if this information is easily available
>>> somewhere else, but everything I found seemed to be a few years out of
>>> date. Does freeRadius now have the ability to re-read a certificate
>>> revocation list, or does it still require a restart after additions to
>>> the CRL?
>>
>> FreeRADIUS uses OpenSSL for all SSL related things. OpenSSL doesn't re-
>> load CRLs dynamically.
>>
>> Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
> OpenSSL does provide a way of outputting the crl to a pem file, though, for instance. Would it not be possible to point freeRadius to such a file and have it either monitor for changes or re-read when attempting a certificate based authentication? A user would be responsible for re-generating that file when a new certificate is revoked, but freeRadius would not have to be restarted.
If you think its possible feel free to submit a patch :) - I think support was added for OCSP at least in 3.0, you could probably leverage that if you needed something more dynamic.
-Arran
Arran Cudbard-Bell
a.cudbardb at freeradius.org
RADIUS - Half the complexity of Diameter
More information about the Freeradius-Users
mailing list