OCSP failure with nonce - patch for option use_nonce
Hi, Testing OCSP today, it took a while to realise that the server didn't support nonce, but freeradius always sends it. This meant all OCSP requests were rejected as 'unauthorised'. It turns out that the MS Certificate Services responder ships with nonce support disabled, but it can be enabled, which did fix our issue. However reading around the web it sounds like there are responders out there that can't cope with nonce. So here's a patch that adds a new option to the OCSP settings, 'use_nonce', which defaults to yes. Tested here (v2.1.x branch) and it means that the certificate validation will still work if the server can't understand nonce. Obviously there's an increased chance of a replay attack with it disabled, so I added a warning to the config that recommends not turning it off unless necessary. Patch for v2.1.x branch: https://github.com/mcnewton/freeradius-server/commit/1f52a80b62d00fa22004870... and against master (untested, I confess): https://github.com/mcnewton/freeradius-server/commit/f9578ba407934d0a27a7e1f... It looks sane to me, and works, but probably needs eyeballing by someone with openssl knowledge to ensure I haven't done something stupid. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (1)
-
Matthew Newton