OCSP parsing in client certificate

Beltramini Francesco Francesco.Beltramini at ema.europa.eu
Tue Apr 16 17:30:39 CEST 2013


Dear all, 

I have a small/big issue and I cannot find a good solution for that.
Scenario: 
iPhones with certificates from internal PKI, joining a Wi-Fi network protected by WPA2-Enterprise authenticating against a Freeradius server v. 2.1.12 (Redhat 6.3). The radius server has as well an internal PKI certificate and the authentication used is EAP-TLS. 
No CRL/OCSP implementation on the first stage. Everything is working fine, the mobile device is configure to accept the radius certificate and the peers can therefore mutually authenticate each other. 

I then configured a Microsoft OCSP array to implement client certificate status checking on the radius server. 
When "override_cert_url = yes" in the OCSP section in eap.conf is configured to override the responder URL, everything is fine and radius get correct responses, 

[tls] --> verify return:1
[tls] --> Starting OCSP Request
[ocsp] --> Responder URL = http://crl.ema.europa.eu:80/ocsp
[ocsp] --> Response status: successful
        This Update: Apr 16 09:50:00 2013 GMT
        Next Update: Apr 17 22:10:00 2013 GMT
[oscp] --> Cert status: good
[ocsp] --> Certificate is valid!
[tls] chain-depth=0,

but when I try to remove this feature and use the OCSP property extracted from the client certificate, the radiusd -X output is:

[tls] --> Starting OCSP Request
[ocsp] --> Responder URL = http://(null):(null)(null)
Error: Couldn't get OCSP response
[ocsp] --> Certificate has been expired/revoked!
[tls] chain-depth=0,
[tls] error=0

I don't know if the problem is the client certificate or how Radius parse it. I this can help to understand, the output of:

openssl x509 -in beltraminif.cer -noout -ocspid -ocsp_uri > http://crl.ema.europa.eu/ocsp (which is the correct url) 

Any input is really appreciated. 

Regards,

Francesco Beltramini




________________________________________________________________________
This e-mail has been scanned for all known viruses by European Medicines Agency.
________________________________________________________________________


More information about the Freeradius-Users mailing list