OCSP parsing in client certificate
Matthew Newton
mcn4 at leicester.ac.uk
Tue Apr 16 22:55:38 CEST 2013
On Tue, Apr 16, 2013 at 04:30:18PM -0400, Alan DeKok wrote:
> Beltramini Francesco wrote:
> > but when I try to remove this feature and use the OCSP
> > property extracted from the client certificate, the radiusd -X
> > output is:
> >
> > [tls] --> Starting OCSP Request
> > [ocsp] --> Responder URL = http://(null):(null)(null)
>
> From the v2.2.0 change log:
>
> * Skip OCSP if there's no host / port / url, with soft_fail
Hmm - I'm not sure if the override_cert_url = no code works
correctly - I seem to remember I had problems with it, but I just
set it to yes and forced the server anyway, as it seemed better
than trusting the client-provided cert (our setup is private CA,
so I know what the OCSP server is). I think I saw the same - that
it wouldn't extract the URL from the cert, and just came back with
(null)s. As usual, I just blamed OpenSSL and moved on.
If I get a chance, I'll try and check it again.
soft_fail will allow the auth to succeed in the event that there
is no response (rather than a negative response) from the OCSP
server - otherwise it "fails safe" and rejects the request. It's
in case the OCSP server happens to be down for some reason.
> Upgrade.
Always the right thing anyway :-)
Cheers,
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list