Apologies ahead of time if this information is easily available somewhere else, but everything I found seemed to be a few years out of date. Does freeRadius now have the ability to re-read a certificate revocation list, or does it still require a restart after additions to the CRL? Travis Dimmig Software Development Specialist Impulse Point www.impulse.com<http://www.impulse.com>
Travis Dimmig wrote:
Apologies ahead of time if this information is easily available somewhere else, but everything I found seemed to be a few years out of date. Does freeRadius now have the ability to re-read a certificate revocation list, or does it still require a restart after additions to the CRL?
FreeRADIUS uses OpenSSL for all SSL related things. OpenSSL doesn't re-load CRLs dynamically. Alan DeKok.
Travis Dimmig wrote:
Apologies ahead of time if this information is easily available somewhere else, but everything I found seemed to be a few years out of date. Does freeRadius now have the ability to re-read a certificate revocation list, or does it still require a restart after additions to the CRL?
FreeRADIUS uses OpenSSL for all SSL related things. OpenSSL doesn't re- load CRLs dynamically.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenSSL does provide a way of outputting the crl to a pem file, though, for instance. Would it not be possible to point freeRadius to such a file and have it either monitor for changes or re-read when attempting a certificate based authentication? A user would be responsible for re-generating that file when a new certificate is revoked, but freeRadius would not have to be restarted. If this question is off the mark, it is probably because I don't know how freeRadius interacts with OpenSSL for certification validation. Can you explain to me how freeRadius currently checks if a certificate is valid or revoked? Travis
On 11 Aug 2011, at 20:46, Travis Dimmig wrote:
Travis Dimmig wrote:
Apologies ahead of time if this information is easily available somewhere else, but everything I found seemed to be a few years out of date. Does freeRadius now have the ability to re-read a certificate revocation list, or does it still require a restart after additions to the CRL?
FreeRADIUS uses OpenSSL for all SSL related things. OpenSSL doesn't re- load CRLs dynamically.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenSSL does provide a way of outputting the crl to a pem file, though, for instance. Would it not be possible to point freeRadius to such a file and have it either monitor for changes or re-read when attempting a certificate based authentication? A user would be responsible for re-generating that file when a new certificate is revoked, but freeRadius would not have to be restarted.
If you think its possible feel free to submit a patch :) - I think support was added for OCSP at least in 3.0, you could probably leverage that if you needed something more dynamic. -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the complexity of Diameter
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
Travis Dimmig