Re: using SSL certs with EAP-TLS
Hi Alan,
for other checks , unlang parsing with TLS-Client-Cert-CN can verify if the CN matches something that you've handed out - your realm, for example, shouldnt be present int he CN from commercial CAs as noone else owns it/has authority (unless something interesting is going on in your company.....) likewise, OCSP can also be used to verify if the cert is valid/current
Ok, thanks, I understand. I added OCSP checking with ocsp { enable = yes override_cert_url = no url = "http://ocsp.startssl.com/sub/class1/client/ca" } but it didn't work, exited with the error " Error: OCSP response has wrong nonce value " . The site https://blog.pki.dfn.de/tag/freeradius/ helped me make it work with the hint to add "use_nonce = no". I send this mail for future (Google'rs) reference. Cheers
On Tue, Apr 05, 2016 at 05:03:34PM +0200, Wouter wrote:
Ok, thanks, I understand. I added OCSP checking with ocsp { enable = yes override_cert_url = no url = "http://ocsp.startssl.com/sub/class1/client/ca" } but it didn't work, exited with the error " Error: OCSP response has wrong nonce value " . The site https://blog.pki.dfn.de/tag/freeradius/ helped me make it work with the hint to add "use_nonce = no".
Which is documented right next to the other OCSP options you set :) https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-avail... Note the security warning in that text. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (2)
-
Matthew Newton -
Wouter