Issues extending EAP-TLS to use OCSP
Hi everyone, I have a working EAP-TLS setup using FreeRadius version 3.2.7. I'm trying to extend this setup to use OCSP but have not been successful. My configuration is as follows: ocsp { enable = yes override_cert_url = yes url = "http://ocsp:8080/" use_nonce = no timeout = 1 softfail = no } I'm encountering the following error message: (4) eap_tls: ocsp: Using responder URL "http://ocsp:8080/" (4) eap_tls: ERROR: (TLS) ocsp: Couldn't verify OCSP basic response: error:13800076:OCSP routines::signer certificate not found (4) eap_tls: ERROR: (TLS) ocsp: Certificate has expired or been revoked For debugging purposes, when I disable OCSP and instead use the following configuration: verify { tmpdir = /tmp/radiusd client = "/usr/bin/openssl ocsp -issuer ${..ca_file} -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/" } OpenSSL can communicate with the OCSP responder without issues (I adjusted the log formatting for better readability.): (9) eap_tls: Verifying client certificate: /usr/bin/openssl ocsp -issuer /opt/etc/raddb/certs/ca.pem -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/ (9) eap_tls: Executing: /usr/bin/openssl ocsp -issuer /opt/etc/raddb/certs/ca.pem -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/ (9) eap_tls: EXPAND %{TLS-Client-Cert-Filename} (9) eap_tls: --> /tmp/radiusd/radiusd.client.XXefFihM Response verify OK (9) eap_tls: Program returned code (0) and output 'OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: F15315BA08FFF6A2400A75BEB618F1E27B9A2869 Issuer Key Hash: 8CB54C92E9319D17C39400BBC7615AF888B15BB1 Serial Number: 6280251183391E42D0FC4BE701F4BA61B204EE9D OCSP Response Data: OCSP Response Status: successful (0x0) This is a simple setup where the same ca.pem is used to sign both client certificates and OCSP responses. I have tried different configurations, including enabling/disabling auto_chain, using both ca_file and ca_path, using only ca_file or only ca_path, and switching cipher_server_preference. However, I have not found a configuration that resolves the "signer certificate not found" error. I'm out of ideas. My full TLS configuration is as follows: tls-config tls-common { private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem ca_file = ${cadir}/ca.pem ca_path = ${cadir} auto_chain = yes cipher_list = "DEFAULT" cipher_server_preference = no tls_min_version = "1.2" tls_max_version = "1.2" ecdh_curve = "" cache { enable = no lifetime = 24 # hours store { Tunnel-Private-Group-Id } } verify { tmpdir = /tmp/radiusd client = "/usr/bin/openssl ocsp -issuer ${..ca_file} -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/" } ocsp { enable = no override_cert_url = yes url = "http://ocsp:8080/" use_nonce = no timeout = 1 softfail = yes } } I'd be grateful for any suggestions. Best regards, Przemyslaw Basa
If your OCSP certificate lacks the OCSP specific OID it will fail that basic verification process. We submitted a patch for a “verifycert” Boolean that can disable that OID test and was accepted for the master branch. I’ve got a version of that patch for 3.2.x that I’m happy to submit if the developers want it
On Mar 7, 2025, at 09:47, Przemysław Basa via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hi everyone,
I have a working EAP-TLS setup using FreeRadius version 3.2.7. I'm trying to extend this setup to use OCSP but have not been successful. My configuration is as follows:
ocsp { enable = yes override_cert_url = yes url = "http://ocsp:8080/" use_nonce = no timeout = 1 softfail = no }
I'm encountering the following error message:
(4) eap_tls: ocsp: Using responder URL "http://ocsp:8080/" (4) eap_tls: ERROR: (TLS) ocsp: Couldn't verify OCSP basic response: error:13800076:OCSP routines::signer certificate not found (4) eap_tls: ERROR: (TLS) ocsp: Certificate has expired or been revoked
For debugging purposes, when I disable OCSP and instead use the following configuration:
verify { tmpdir = /tmp/radiusd client = "/usr/bin/openssl ocsp -issuer ${..ca_file} -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/" }
OpenSSL can communicate with the OCSP responder without issues (I adjusted the log formatting for better readability.):
(9) eap_tls: Verifying client certificate: /usr/bin/openssl ocsp -issuer /opt/etc/raddb/certs/ca.pem -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/ (9) eap_tls: Executing: /usr/bin/openssl ocsp -issuer /opt/etc/raddb/certs/ca.pem -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/ (9) eap_tls: EXPAND %{TLS-Client-Cert-Filename} (9) eap_tls: --> /tmp/radiusd/radiusd.client.XXefFihM Response verify OK (9) eap_tls: Program returned code (0) and output 'OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: F15315BA08FFF6A2400A75BEB618F1E27B9A2869 Issuer Key Hash: 8CB54C92E9319D17C39400BBC7615AF888B15BB1 Serial Number: 6280251183391E42D0FC4BE701F4BA61B204EE9D OCSP Response Data: OCSP Response Status: successful (0x0)
This is a simple setup where the same ca.pem is used to sign both client certificates and OCSP responses. I have tried different configurations, including enabling/disabling auto_chain, using both ca_file and ca_path, using only ca_file or only ca_path, and switching cipher_server_preference. However, I have not found a configuration that resolves the "signer certificate not found" error. I'm out of ideas.
My full TLS configuration is as follows:
tls-config tls-common { private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem ca_file = ${cadir}/ca.pem ca_path = ${cadir} auto_chain = yes cipher_list = "DEFAULT" cipher_server_preference = no tls_min_version = "1.2" tls_max_version = "1.2" ecdh_curve = "" cache { enable = no lifetime = 24 # hours store { Tunnel-Private-Group-Id } } verify { tmpdir = /tmp/radiusd client = "/usr/bin/openssl ocsp -issuer ${..ca_file} -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/" } ocsp { enable = no override_cert_url = yes url = "http://ocsp:8080/" use_nonce = no timeout = 1 softfail = yes } }
I'd be grateful for any suggestions.
Best regards, Przemyslaw Basa
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 08.03.2025 00:31, Craig Huckabee wrote:
If your OCSP certificate lacks the OCSP specific OID it will fail that basic verification process.
That was indeed the case - thank you! It was driving me nuts. My current working solution is to use an intermediate CA to sign server.pem and client certificates. It also signs the OCSP responder certificate, which has the EKU set to OCSPSigning. For anyone wondering why an intermediate CA is necessary, the reason is that OpenSSL complains about self-signed certificate in the chain when the OCSP responder certificate is signed directly by the root CA. For completeness, I'll also mention that trying to add the OCSPSigning flag directly to the root CA results in the following errors: (5) eap_tls: ERROR: (TLS) OpenSSL says error 26 : unsuitable certificate purpose (5) eap_tls: (TLS) TLS - send TLS 1.2 Alert, fatal unsupported_certificate (5) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:unsupported certificate (5) eap_tls: ERROR: (TLS) TLS - Server : Error in error (5) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000086:SSL routines::certificate verify failed (5) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (5) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation (5) eap_tls: ERROR: [eaptls process] = fail Regards, Przemyslaw Basa
participants (2)
-
Craig Huckabee -
Przemysław Basa