Hi,
in the TLS RADSEC configuration, if I want to use OpenSSL for external verification (which i cant FULLY do...but still), I get the following error if I use the ${certdir} expansion - as used all throughout the rest of the config
That *should* work...
I thought it should too. however, it just complains about unknown variable.
(0) Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/radsec/CA.crt -purpose crlsign %{TLS-Client-Cert-Filename} (0) expand: %{TLS-Client-Cert-Filename} -> /etc/raddb/temporary/radiusd.client.XXP6KU60 Exec-Program output: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK Exec-Program-Wait: plaintext: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK Exec-Program: returned: 0 (0) Client certificate CN server.camford.ac.uk passed external validation ... ...I'm guessing the OK message is the issue here - the command exited OK but the condition certainly isnt.
Isn't OpenSSL grand? If verification fails, the command still returns "success".
Crazy.
Instead, you probably have to root through the output of OpenSSL, to see if it says "success" or "error".
looks that way. the output from a successful verify looks like server.lboro.ac.uk-eduPKI.pem: OK (and thats all, nothing else....of course, this might change with different version of OpenSSL) alan