[RP #2160] EAP-TLS | OCSP with Intermediate CA
Hello, Following up on the pull-request. The scenario I am testing is when a client issue a certificate from a sub-ca which is not trusted (ca_file only points to root CA). In such case, the client must send its issuer certificate along in order to complete the chain and get verified. This works ok, however the OCSP verification is skipped in such case because we fail get issuer certificate (even if softfail is no). The first patch fix the above and treats this error as a soft failure. The second one attempts to get the issuer-certificate differently which works for this scenario (where the issuer isn't trusted). Note that eapol_test, unlike some other supplicants, doesn't send all the certificates from the client_cert file. However, it can be done with a little patch as follows: # git diff diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index ce73848..d180343 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2653,10 +2653,9 @@ static int tls_connection_client_cert(struct tls_connection *conn, return 0; } - if (SSL_use_certificate_file(conn->ssl, client_cert, - SSL_FILETYPE_PEM) == 1) { + if (SSL_use_certificate_chain_file(conn->ssl, client_cert)) { ERR_clear_error(); - wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (PEM)" + wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file (PEM)" " --> OK"); return 0; Configuration example: network={ ssid="1x-test" key_mgmt=IEEE8021X eap=TLS identity="bob" ca_cert="freeradius_ca_cert" client_cert="client_cert_and_issuer" private_key="key" private_key_passwd="pwd" eapol_flags=3 } Thanks, Isaac B.
Little correction. On Thu, Jan 18, 2018 at 3:11 AM, Isaac Boukris <iboukris@gmail.com> wrote:
Note that eapol_test, unlike some other supplicants, doesn't send all the certificates from the client_cert file. However, it can be done with a little patch as follows:
# git diff diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index ce73848..d180343 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2653,10 +2653,9 @@ static int tls_connection_client_cert(struct tls_connection *conn, return 0; }
- if (SSL_use_certificate_file(conn->ssl, client_cert, - SSL_FILETYPE_PEM) == 1) { + if (SSL_use_certificate_chain_file(conn->ssl, client_cert)) {
Should read: + if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) {
Hey, On Thu, Jan 18, 2018 at 3:11 AM, Isaac Boukris <iboukris@gmail.com> wrote:
Hello,
Following up on the pull-request. The scenario I am testing is when a client issue a certificate from a sub-ca which is not trusted (ca_file only points to root CA). In such case, the client must send its issuer certificate along in order to complete the chain and get verified. This works ok, however the OCSP verification is skipped in such case because we fail get issuer certificate (even if softfail is no).
The first patch fix the above and treats this error as a soft failure. The second one attempts to get the issuer-certificate differently which works for this scenario (where the issuer isn't trusted).
Any thoughts on this? I can collect server debug of this flow, before and after the patches if it helps. Thanks!
On Jan 23, 2018, at 1:07 PM, Isaac Boukris <iboukris@gmail.com> wrote:
Any thoughts on this? I can collect server debug of this flow, before and after the patches if it helps.
I think it looks good. I'll have to go over it in detail, which is why it's taking so long. It's important for me to understand the consequences of changing core behaviour... Alan DeKok.
On Wed, Jan 24, 2018 at 10:20 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jan 23, 2018, at 1:07 PM, Isaac Boukris <iboukris@gmail.com> wrote:
Any thoughts on this? I can collect server debug of this flow, before and after the patches if it helps.
I think it looks good. I'll have to go over it in detail, which is why it's taking so long.
It's important for me to understand the consequences of changing core behaviour...
Thank you for the initial feedback. On a related note, I'd like to mention that I also thought of proposing a new directive like 'untrusted_ca_file', which we'd load with 'SSL_CTX_add_extra_chain_cert()' and only use it to complete the chain (if the client didn't send it), like 'openssl verify -untrusted' option, but I can't think of a practical benefit over just adding it to 'ca_file' as trusted. Regards.
participants (2)
-
Alan DeKok -
Isaac Boukris