<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3059" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face="Courier New" size=2><SPAN class=468571221-23032007>I am trying
to set up EAP-TLS using FreeRadius, and I</SPAN></FONT><FONT face="Courier New"
size=2><SPAN class=468571221-23032007> am using EJBCA to sign my
certs. I have been able to get everything to work correctly except the
CRL. I have created a directory /usr/local/etc/raddb/certs/crls where I am
storing my CRL info. In this directory I have the certificate chain of the
signing CA (in pem format) and the latest CRL for that CA (also in pem
format). After the CRL is copied into this directory I execute c_rehash on
the directory and everything runs fine. When I run radiusd, however, all
attempts to authenticate are denied. The pertinent portion of the output
from radiusd -X -A is :</SPAN></FONT></DIV>
<DIV><FONT face="Courier New" size=2><SPAN
class=468571221-23032007></SPAN></FONT> </DIV>
<DIV><FONT><SPAN class=468571221-23032007><FONT face="Courier New"
size=2> </FONT></DIV>
<DIV class=code><FONT face="Courier New" size=2> rlm_eap_tls: <<< TLS
1.0 Handshake [length 07b8], Certificate </FONT></DIV>
<DIV class=code><FONT face="Courier New" size=2>--> verify error:num=8:CRL
signature failure </FONT></DIV>
<DIV class=code><FONT face="Courier New" size=2>rlm_eap_tls: >>> TLS
1.0 Alert [length 0002], fatal decrypt_error </FONT></DIV>
<DIV class=code><FONT face="Courier New" size=2>TLS Alert write:fatal:decrypt
error </FONT></DIV>
<DIV class=code><FONT face="Courier New" size=2>TLS_accept:error in SSLv3 read
client certificate B rlm_eap: SSL error error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01rlm_eap_tls:
SSL_read failed inside of TLS (-1), TLS session fails.</FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV></TD><FONT face="Courier New" size=2><SPAN class=468571221-23032007>This
seems to tell me that FreeRadius cannot verify the CRL against the CA
cert. However, when I run:</SPAN></FONT></DIV>
<DIV><FONT face="Courier New" size=2><SPAN
class=468571221-23032007> openssl crl -in my-crl.pem -inform
PEM -CAfile my-cacert.pem -issuer -lastupdate -nextupdate
-noout</SPAN></FONT></DIV>
<DIV><FONT face="Courier New" size=2><SPAN class=468571221-23032007>it returns
verify OK and the correct info on issuer and update times.</SPAN></FONT></DIV>
<DIV><FONT face="Courier New" size=2><SPAN
class=468571221-23032007></SPAN></FONT> </DIV>
<DIV><FONT face="Courier New" size=2><SPAN class=468571221-23032007>Also when I
run:</SPAN></FONT></DIV>
<DIV><FONT face="Courier New" size=2><SPAN
class=468571221-23032007> openssl verify -CApath ./ -crl_check
test.pem </SPAN></FONT></DIV>
<DIV><FONT face="Courier New" size=2><SPAN class=468571221-23032007>it behaves
as expected. </SPAN></FONT></DIV>
<DIV><FONT face="Courier New" size=2><SPAN
class=468571221-23032007></SPAN></FONT> </DIV>
<DIV><FONT face="Courier New" size=2><SPAN class=468571221-23032007>Any
Ideas?</SPAN></FONT></SPAN></FONT></DIV>
<DIV><FONT face="Courier New" size=2></FONT> </DIV>
<DIV align=left><FONT face="Courier New" size=2>Jeremy Pastin</FONT></DIV>
<DIV align=left><FONT face="Courier New" size=2></FONT> </DIV>
<DIV align=left><FONT face="Courier New" size=2><A
href="mailto:helpdesk@firstindustrial.com">helpdesk@firstindustrial.com</A></FONT></DIV>
<DIV align=left><FONT face="Courier New" size=2>312-344-4444</FONT></DIV>
<DIV align=left><FONT face="Courier New" size=2></FONT> </DIV>
<DIV align=left><FONT face="Courier New" size=2>First Industrial Realty Trust,
Inc.</FONT></DIV>
<DIV align=left><FONT face="Courier New" size=2>311 S Wacker Dr</FONT></DIV>
<DIV align=left><FONT face="Courier New" size=2>Chicago, IL 60606</FONT></DIV>
<DIV align=left><FONT face="Courier New" size=2></FONT> </DIV>
<DIV align=left><FONT face="Courier New" size=2>Phone:
312-344-4425</FONT></DIV>
<DIV align=left><FONT face="Courier New" size=2>Fax:
312-895-9425</FONT></DIV>
<DIV> </DIV></BODY></HTML>