EAP-TLS CRL problem - a PKIX guru around?

Stefan Winter stefan.winter at restena.lu
Wed Mar 11 07:54:10 CET 2015 

Hi,

> I think you're right about the intermediate being the issue... if your leaf doesn't contain a CRL distribution point then openSSL can't be querying it.

I don't think OpenSSL follows CRLDPs on its own. CRLs need to be on the
filesystem besides the CA certs, with c_rehash. Then openssl does its
magic based on that data set.

I just did an openssl verify for the client certificate on my cmdline,
which yielded the same error.

> I notice that when I'm querying your root CRL, openssl is only returning the first entry. I wonder if it does that when doing an actual validation, as opposed to dumping the CRL.
> 
> Also From your root CRL:
> 
>             X509v3 Issuing Distrubution Point:
>                 00...,.*https://www.restena.lu/ca/restena-root.crl
> 
> That looks wrong but given OpenSSL is spelling "distribution" wrong this could be a bug in the text output renderer...

I get this for an openssl x509 -in ... -noout -text on our root CA:

             X509v3 CRL Distribution Points:

                Full Name:
                  URI:https://www.restena.lu/ca/restena-root.crl

I think your text output misses the binary representation of "Full Name,
URI" and spits out the binary garbage untranslated.

So, I'm nowhere closer to finding what's wrong with my CRL. Colleagues
from another CA gave me their own (working) CRL to take a look - maybe I
should live a simpler life and issue CRL Version 1, which doesn't have
any notion of revocation reasons nor authority identifiers.

Greetings,

Stefan Winter

> Regards,
> 
> Adam Bishop
> Systems Development Specialist
> 
>   gpg: 0x6609D460
>     t: +44 (0)1235 822 245
>  xmpp: adamb at jabber.dev.ja.net
> 
> jisc.ac.uk
> 
> 
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
> 
> Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200. 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150311/36ccf4b4/attachment.sig>

More information about the Freeradius-Users mailing list