On 11 Aug 2011, at 20:46, Travis Dimmig wrote:
Travis Dimmig wrote:
Apologies ahead of time if this information is easily available somewhere else, but everything I found seemed to be a few years out of date. Does freeRadius now have the ability to re-read a certificate revocation list, or does it still require a restart after additions to the CRL?
FreeRADIUS uses OpenSSL for all SSL related things. OpenSSL doesn't re- load CRLs dynamically.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenSSL does provide a way of outputting the crl to a pem file, though, for instance. Would it not be possible to point freeRadius to such a file and have it either monitor for changes or re-read when attempting a certificate based authentication? A user would be responsible for re-generating that file when a new certificate is revoked, but freeRadius would not have to be restarted.
If you think its possible feel free to submit a patch :) - I think support was added for OCSP at least in 3.0, you could probably leverage that if you needed something more dynamic. -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the complexity of Diameter