On Wed, Sep 21, 2016 at 09:45:08AM -0400, Alan DeKok wrote:
# If OCSP checking is enabled, and the OCSP checks fail, # the verify section is skipped.
You should be able to run the external command without OCSP.
That makes sense. But as I understand the code, it doesn't allow for external command without OCSP enabled. I think I even tested it. Also, the following two lines in verify stanza (eap module) don't make things clear enough: # If the OCSP checks succeed, the verify section # is run to allow additional checks.
Issue 1 (OCSP checks fail for a RadSec client):
OK, that makes sense. I'll push a fix.
Thanks for pushing the fix.
Issue 2 (validation via external command blocked by if clause):
The problem is that your patch completely removes all of the logic about checking the OCSP status.
I admit I've oversimlified a bit.
I'll push a fix which matches the comments in the code, and the documentation.
I see the patched code, commit c88614354f80bec0e0e777338e170474f2242212. However, the documentation says: * If OCSP returns skipped (2), we run the verify command, unless * conf->verify_skip_if_ocsp_ok is true. That demands one more modification to fit exactly: - ((my_ok == OCSP_STATUS_SKIPPED) && conf->verify_skip_if_ocsp_ok)) + ((my_ok == OCSP_STATUS_SKIPPED) && !conf->verify_skip_if_ocsp_ok)) The code will get even more convoluted, should it introduce a possibility to run an external command (verify) when ocsp is disabled. See attached nasty diff. Thanks for your comments and care. Martin