Reloading CRL for EAP-TLS
Hi, I'm trying implement freeRadius for users using EAP-TLS. My eap.conf:
eap { ...
tls { private_key_file = /etc/ssl/private/radius.etest.cesnet.cz.key.pem certificate_file = /etc/ssl/certs/radius.etest.cesnet.cz.crt.pem
CA_path = /etc/ssl/certs/
fragment_size = 1024
include_length = yes
check_crl = yes }
When CRL is changed on disk during freeRadius is running it never notices changed version and still uses older cached. This behavior come from OpenSSL I guess. For my implementation is this serious problem. Complete restart of freeRadius will break ongoing EAP sessions and introduce random problems with service for users I found mailing list post: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg31354.h... When I try send HUP signal to running freeRadius it crashes with return code 1 in case it didn't process any request. Log output is in file crash1.log When I send HUP signal to running freeRadius which processed several requests it survive and crash with segfault after receiving first request after the HUP signal. Log output is in crash2.log I was testing with freeRadius version 1.1.4 and 1.1.7 both with same result. Is there chance to get this fixed? Best regards -- ----------------------- Jan Tomasek aka Semik http://www.tomasek.cz/
Jan Tomasek wrote:
When CRL is changed on disk during freeRadius is running it never notices changed version and still uses older cached. This behavior come from OpenSSL I guess. For my implementation is this serious problem. Complete restart of freeRadius will break ongoing EAP sessions and introduce random problems with service for users
Yes...
When I try send HUP signal to running freeRadius it crashes with return code 1 in case it didn't process any request. Log output is in file crash1.log
1.1.x doesn't do HUP. i.e. it doesn't work.
Is there chance to get this fixed?
2.0 handles HUP better. It is easier to fix this issue in 2.0. Right now, 2.0 doesn't re-load CRL's on HUP. It doesn't crash, either... Alan DeKok.
Alan DeKok wrote:
Jan Tomasek wrote:
When CRL is changed on disk during freeRadius is running it never notices changed version and still uses older cached. This behavior come from OpenSSL I guess. For my implementation is this serious problem. Complete restart of freeRadius will break ongoing EAP sessions and introduce random problems with service for users
Yes...
Is there chance to get this fixed?
2.0 handles HUP better. It is easier to fix this issue in 2.0.
Right now, 2.0 doesn't re-load CRL's on HUP. It doesn't crash, either...
I understand that you are not planing to fix that for old freeRadius 1.1.x. I was testing on this version because majority of eduroam admins are using this version. Are you planing improve CRL support in version 2.0 in some near future? Thanks -- ----------------------- Jan Tomasek aka Semik http://www.tomasek.cz/
Jan Tomasek wrote:
I understand that you are not planing to fix that for old freeRadius 1.1.x. I was testing on this version because majority of eduroam admins are using this version.
Yes. Given the stability of 2.0, and the number of people using it in production, it may be worth upgrading.
Are you planing improve CRL support in version 2.0 in some near future?
I don't have any plans to change that code, but plans can change. Alan DeKok.
Alan, A year passed. Did you change your roadmap? Do you have plans to implement this feature and make rlm_eap RLM_TYPE_HUP_SAFE? I understand this is not an easy fix since it should handle ongoing EAP-TLS conversations Thanks. Leopold Alan DeKok-2 wrote:
Jan Tomasek wrote:
I understand that you are not planing to fix that for old freeRadius 1.1.x. I was testing on this version because majority of eduroam admins are using this version.
Yes. Given the stability of 2.0, and the number of people using it in production, it may be worth upgrading.
Are you planing improve CRL support in version 2.0 in some near future?
I don't have any plans to change that code, but plans can change.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Reloading-CRL-for-EAP-TLS-tp15270629p22495236.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
leopold wrote:
A year passed. Did you change your roadmap?
Roadmaps always change.
Do you have plans to implement this feature and make rlm_eap RLM_TYPE_HUP_SAFE?
There are no plans to do this right now.
I understand this is not an easy fix since it should handle ongoing EAP-TLS conversations
It would likely be better to add OCSP support. i.e. Make the server use OpenSSL's existing OCSP functionality. That adds dynamic certificate revocation, without requiring the EAP module to understand HUP. Alan DeKok.
participants (4)
-
Alan DeKok -
Jan Tomasek -
leopold -
Matt Causey