Hi, I've just had to revoke a certificate, and thus had to configure FreeRADIUS to enable CRL checks. Which went fine, except that while checking a valid cert, the CRL checks bark with something I don't understand. It's not entirely a FreeRADIUS question, but ... maybe enough clueful EAP-TLS deployers around maybe? What I see in debug mode is this: (5760) eap_tls: <<< TLS 1.0 Handshake [length 141a], Certificate (5760) eap_tls: TLS Verify adding attributes (5760) eap_tls: &request:TLS-Client-Cert-Serial := '010d' (5760) eap_tls: &request:TLS-Client-Cert-Expiration := '161028102449Z' (5760) eap_tls: &request:TLS-Client-Cert-Subject := '/C=LU/L=Luxembourg/O=Fondation RESTENA/OU=Secretariat/CN=certuser-2016-009@restena.lu/emailAddress=certuser-2016-009@restena .lu' (5760) eap_tls: &request:TLS-Client-Cert-Issuer := '/C=LU/L=Luxembourg/O=Fondation RESTENA/CN=RESTENA Staff Authentication CA/emailAddress=admin@restena.lu' (5760) eap_tls: &request:TLS-Client-Cert-Common-Name := 'certuser-2016-009@restena.lu' ERROR: (5760) eap_tls: SSL says error 44 : Different CRL scope (5760) eap_tls: >>> TLS 1.0 Alert [length 0002], fatal certificate_unknown ERROR: (5760) eap_tls: TLS Alert write:fatal:certificate unknown tls: TLS_accept: Error in SSLv3 read client certificate B ERROR: (5760) eap_tls: SSL says: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. So... the smoking gun line is "error 44 : Different CRL scope". Which means exactly nothing to me. The cert is issued by TLS-Client-Cert-Issuer := '/C=LU/L=Luxembourg/O=Fondation RESTENA/CN=RESTENA Staff Authentication CA/emailAddress=admin@restena.lu' and the CRL has: Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha512WithRSAEncryption Issuer: /C=LU/L=Luxembourg/O=Fondation RESTENA/CN=RESTENA Staff Authentication CA/emailAddress=admin@restena.lu Last Update: Mar 9 08:57:55 2015 GMT Next Update: Mar 6 08:57:55 2025 GMT CRL extensions: X509v3 Issuer Alternative Name: email:admin@restena.lu X509v3 Authority Key Identifier: keyid:4A:16:64:64:0B:AF:01:3D:5F:B4:9E:BB:B0:6D:FE:F2:E9:81:60:4D DirName:/C=LU/L=Luxembourg/O=Fondation RESTENA/CN=RESTENA Services CA/emailAddress=admin@restena.lu serial:01:00 X509v3 Issuing Distrubution Point: Full Name: URI:https://www.restena.lu/restena-staffauth.crl X509v3 CRL Number: 2 Revoked Certificates: Serial Number: 0103 Revocation Date: Mar 9 08:57:15 2015 GMT CRL entry extensions: X509v3 CRL Reason Code: Affiliation Changed So, the issuer of the CRL matches the issuer of the cert, and the CRL only revokes one of its serials, and it's not the incoming one. What the ... is openssl complaining about here? If anyone knows, please enlighten me... Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66