RADSEC validation/verification
hi, I note that the certificate being used in RADSEC can be validated by the certificate issuer - but this doesnt work if there are more than 1 certificate issuer, can RADSEC be validated by for example, an OID in the certificate? I've noted and tried the 'verify' section - which looks rather funky and useful...but my openssl doesnt seem to have any of the useful arguments (-policy) - 0.9.8e-fips-rhel5 I had: client = "/usr/bin/openssl verify -policy .1.3.6.1.4.1.25178.3.1.2 %{TLS-Client-Cert-Filename}" but no joy :-( alan
hi, in the TLS RADSEC configuration, if I want to use OpenSSL for external verification (which i cant FULLY do...but still), I get the following error if I use the ${certdir} expansion - as used all throughout the rest of the config WARNING: No such configuration item certdir /etc/raddb/sites-enabled/tls[252]: Reference "/usr/bin/openssl verify -CAfile ${certdir}/CA.crt -purpose crlsign %{TLS-Client-Cert-Filename}" not found Errors reading /etc/raddb/radiusd.conf there appears to be another issue too... if i say that the cert must be valid for a purpose and its not valid for the purpose then it passes the test anyway(!) thats not what I had in mind ;-) (0) Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/radsec/CA.crt -purpose crlsign %{TLS-Client-Cert-Filename} (0) expand: %{TLS-Client-Cert-Filename} -> /etc/raddb/temporary/radiusd.client.XXP6KU60 Exec-Program output: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK Exec-Program-Wait: plaintext: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK Exec-Program: returned: 0 (0) Client certificate CN server.camford.ac.uk passed external validation run on the command line I get: server.lboro.ac.uk-PKI.pem: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.lboro.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK ...I'm guessing the OK message is the issue here - the command exited OK but the condition certainly isnt. alan
Alan Buxey wrote:
in the TLS RADSEC configuration, if I want to use OpenSSL for external verification (which i cant FULLY do...but still), I get the following error if I use the ${certdir} expansion - as used all throughout the rest of the config
That *should* work...
there appears to be another issue too... if i say that the cert must be valid for a purpose and its not valid for the purpose then it passes the test anyway(!) thats not what I had in mind ;-)
(0) Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/radsec/CA.crt -purpose crlsign %{TLS-Client-Cert-Filename} (0) expand: %{TLS-Client-Cert-Filename} -> /etc/raddb/temporary/radiusd.client.XXP6KU60 Exec-Program output: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK Exec-Program-Wait: plaintext: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK Exec-Program: returned: 0 (0) Client certificate CN server.camford.ac.uk passed external validation ... ...I'm guessing the OK message is the issue here - the command exited OK but the condition certainly isnt.
Isn't OpenSSL grand? If verification fails, the command still returns "success". Crazy. Instead, you probably have to root through the output of OpenSSL, to see if it says "success" or "error". Alan DeKok.
Hi,
in the TLS RADSEC configuration, if I want to use OpenSSL for external verification (which i cant FULLY do...but still), I get the following error if I use the ${certdir} expansion - as used all throughout the rest of the config
That *should* work...
I thought it should too. however, it just complains about unknown variable.
(0) Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/radsec/CA.crt -purpose crlsign %{TLS-Client-Cert-Filename} (0) expand: %{TLS-Client-Cert-Filename} -> /etc/raddb/temporary/radiusd.client.XXP6KU60 Exec-Program output: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK Exec-Program-Wait: plaintext: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK Exec-Program: returned: 0 (0) Client certificate CN server.camford.ac.uk passed external validation ... ...I'm guessing the OK message is the issue here - the command exited OK but the condition certainly isnt.
Isn't OpenSSL grand? If verification fails, the command still returns "success".
Crazy.
Instead, you probably have to root through the output of OpenSSL, to see if it says "success" or "error".
looks that way. the output from a successful verify looks like server.lboro.ac.uk-eduPKI.pem: OK (and thats all, nothing else....of course, this might change with different version of OpenSSL) alan
participants (2)
-
Alan Buxey -
Alan DeKok