OCSP Response Signed by other CA
Alan DeKok
aland at deployingradius.com
Thu Oct 31 19:38:16 CET 2019
> On Oct 31, 2019, at 2:09 PM, Mike DiBella <mike at dibella.net> wrote:
>
> In testing my OCSP responder configuration I've found that the following openssl command:
>
> openssl ocsp -issuer client_cer_root.cer -cert client.cer -VAfile ocsp_signer.cer -url http://ocsp.responder.net/ocsp
>
> returns:
>
> Response verify OK
> client.cer: good
> This Update: Oct 31 11:43:47 2019 GMT
> Next Update: Nov 2 00:03:47 2019 GMT
>
> I see that there is a client keyword in the verify section of the eap configuration file. I'm wondering if I can I substitute this command for the default openssl verify command prototyped in the file?
Yes, that should mostly work. You should use %{TLS-Client-Cert-Filename} instead of a hard-coded filename though. The server will write the client certificate to a temporary file, and then clean it up after OSCP tests are done.
> In my testing, it looks like openssl returns exit 0 for both verified and responder errors, so I'm wondering how freeradius parses the result of the command.
FreeRADIUS looks for the command to succeed / fail. If the OSCP responder is down, OpenSSL may do various magic. :(
The solution is to ensure that critical pieces of infrastructure stay up.
Alan DeKok.
More information about the Freeradius-Users
mailing list