Alan Buxey wrote:
in the TLS RADSEC configuration, if I want to use OpenSSL for external verification (which i cant FULLY do...but still), I get the following error if I use the ${certdir} expansion - as used all throughout the rest of the config
That *should* work...
there appears to be another issue too... if i say that the cert must be valid for a purpose and its not valid for the purpose then it passes the test anyway(!) thats not what I had in mind ;-)
(0) Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/radsec/CA.crt -purpose crlsign %{TLS-Client-Cert-Filename} (0) expand: %{TLS-Client-Cert-Filename} -> /etc/raddb/temporary/radiusd.client.XXP6KU60 Exec-Program output: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK Exec-Program-Wait: plaintext: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK Exec-Program: returned: 0 (0) Client certificate CN server.camford.ac.uk passed external validation ... ...I'm guessing the OK message is the issue here - the command exited OK but the condition certainly isnt.
Isn't OpenSSL grand? If verification fails, the command still returns "success". Crazy. Instead, you probably have to root through the output of OpenSSL, to see if it says "success" or "error". Alan DeKok.