EAP/TLS authentication in 2050
Victor Guk
v.guk at zaz.zp.ua
Mon Dec 5 12:54:35 CET 2011
> This error comes from within OpenSSL. FreeRADIUS just does what OpenSSL
> tells it.
>
> Can you verify the cert with the "openssl verify ..." test command? e.g.
> try this:
>
> openssl verify -CAfile ca.pem -purpose sslserver server.pem
freeradius:/usr/local/CA # openssl verify -CAfile cacert.pem -purpose
sslserver cert-srv.pem
cert-srv.pem: OK
>
> If this fails as well, then it's either a problem in OpenSSL or your
> system libraries with dates>2050. If it succeeds (which I doubt) then
> FreeRADIUS should work too.
>
> I sort of admire your effort to future-proof your certs though! ;o)
> why?
>
> really, why? wat purpose does testing these dates have - you really think
> your current infrastructure, and techologies such as 802.1X are going
> to be around in the same format in even 20 years time?
No, of course not :)
This is my curiosity led me to test such date.
>
> anyway....I'm guessing these are 32 bit server and client OS ?
>
> you may find, in that case, that your tests will work until you set the
> date beyond 2037 - 32bit OS have problems with dates after 2038
>
> so, try this with KNOWN parameters - eg 2020 , within the 2038
> timeframe and things should work.
The server is running SLES 11 SP1 (x86_64), a workstation running
Windows XP SP3 (32bit). Authentication is successful until February 1,
2050, ie for example if you logged in December 31, 2049, then the
authentication is successful.
A little later, try the client computer under the control of 64bit. the
results announced later.
More information about the Freeradius-Users
mailing list