Quick question about OCSP URLs. When overriding the cert specified OCSP URL, can you specify more than one just in case a server dies for example? Just been off site and our F5 that load balances requests to our OCSP service decided not to forward them hence the only way to connect to eduroam was to delete the TLS profile and use PEAP. Talking to all the individual OCSP servers worked just fine. Rgds Alex
On Mar 29, 2016, at 8:14 AM, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
Quick question about OCSP URLs. When overriding the cert specified OCSP URL, can you specify more than one just in case a server dies for example?
I'm not sure. That's really an OpenSSL question. We just take whatever string is in the configuration, and pass it to OpenSSL. Alan DeKok.
On 29 Mar 2016, at 06:14, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
Quick question about OCSP URLs. When overriding the cert specified OCSP URL, can you specify more than one just in case a server dies for example?
Just been off site and our F5 that load balances requests to our OCSP service decided not to forward them hence the only way to connect to eduroam was to delete the TLS profile and use PEAP. Talking to all the individual OCSP servers worked just fine.
No, it's not currently supported. It's not functionality available through OpenSSL, so we'd need to implement failover ourselves. It's not just the override URL, we don't parse multiple OCSP URLs in certificates either. Feel free to open a GitHub issue. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
o.k thanks A On 29 March 2016 at 13:59, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On 29 Mar 2016, at 06:14, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
Quick question about OCSP URLs. When overriding the cert specified OCSP URL, can you specify more than one just in case a server dies for example?
Just been off site and our F5 that load balances requests to our OCSP service decided not to forward them hence the only way to connect to eduroam was to delete the TLS profile and use PEAP. Talking to all the individual OCSP servers worked just fine.
No, it's not currently supported. It's not functionality available through OpenSSL, so we'd need to implement failover ourselves.
It's not just the override URL, we don't parse multiple OCSP URLs in certificates either.
Feel free to open a GitHub issue.
-Arran
Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Mar 29, 2016 at 01:14:13PM +0100, Alex Sharaz wrote:
Quick question about OCSP URLs. When overriding the cert specified OCSP URL, can you specify more than one just in case a server dies for example?
Get a load balancer.
Just been off site and our F5 that load balances requests to our OCSP service decided not to forward them hence the only way to connect to eduroam was to delete the TLS profile and use PEAP. Talking to all the individual OCSP servers worked just fine.
Get a decent load balancer. :) Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Did have a load balancer (F5) was all working and then some thing changed and all the FR severs forwarding OCSP requests ( like from Networkshop in Manchester :/)) ) stopped working. Our systems people fixed it ... But it was working. Just glad we didn't have shedloads of people using EAP-TLS :-)) A Sent from my iPhone 6 plus
On 31 Mar 2016, at 23:05, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Tue, Mar 29, 2016 at 01:14:13PM +0100, Alex Sharaz wrote: Quick question about OCSP URLs. When overriding the cert specified OCSP URL, can you specify more than one just in case a server dies for example?
Get a load balancer.
Just been off site and our F5 that load balances requests to our OCSP service decided not to forward them hence the only way to connect to eduroam was to delete the TLS profile and use PEAP. Talking to all the individual OCSP servers worked just fine.
Get a decent load balancer. :)
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Did have a load balancer (F5) was all working and then some thing changed and all the FR severs forwarding OCSP requests ( like from Networkshop in Manchester :/)) ) stopped working. Our systems people fixed it ... But it was working. Just glad we didn't have shedloads of people using EAP-TLS :-))
you could fail open as a safety guard? alan
On Fri, Apr 01, 2016 at 10:01:01AM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
Did have a load balancer (F5) was all working and then some thing changed and all the FR severs forwarding OCSP requests ( like from Networkshop in Manchester :/)) ) stopped working. Our systems people fixed it ... But it was working. Just glad we didn't have shedloads of people using EAP-TLS :-))
you could fail open as a safety guard?
That's why we've got the softfail option :) https://github.com/FreeRADIUS/freeradius-server/blob/v3.1.x/raddb/mods-avail... Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Yup but as it says # Warning: this may enable clients with revoked # certificates to connect if the OCSP responder is not # available. Use with caution. # Think I'd rather have ability to try another OCSP server at this point. On 1 April 2016 at 12:02, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Fri, Apr 01, 2016 at 10:01:01AM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
Did have a load balancer (F5) was all working and then some thing changed and all the FR severs forwarding OCSP requests ( like from Networkshop in Manchester :/)) ) stopped working. Our systems people fixed it ... But it was working. Just glad we didn't have shedloads of people using EAP-TLS :-))
you could fail open as a safety guard?
That's why we've got the softfail option :)
https://github.com/FreeRADIUS/freeradius-server/blob/v3.1.x/raddb/mods-avail...
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 1, 2016, at 7:22 AM, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
Yup but as it says
# Warning: this may enable clients with revoked # certificates to connect if the OCSP responder is not # available. Use with caution. # Think I'd rather have ability to try another OCSP server at this point.
Sure. Submit a patch. :) It has to detect the failure, and instead of "soft fail", try either another hard-coded URL, or parse the OCSP URL(s) for another URL. And if either of those fail... fall back to the "soft fail". But realistically, if OCSP works at a hard-coded URL, why not just use that? And most certificates won't have multiple OCSP URLs, so you can't fall back to another OCSP server. You're much better off ensuring that your OCSP server stays up. Use a load-balancer, or a caching proxy. It's easier to manage than FreeRADIUS patches, and more configurable. Alan DeKok.
On Fri, Apr 01, 2016 at 12:22:48PM +0100, Alex Sharaz wrote:
Yup but as it says
# Warning: this may enable clients with revoked # certificates to connect if the OCSP responder is not # available. Use with caution. # Think I'd rather have ability to try another OCSP server at this point.
It took me less than two minutes thought here to realise that we'd never revoked a certificate, so the likelihood of the server going down was more than worrying that someone with a revoked cert was going to get in. Hence writing the softfail code... But not doubting your feature request is a valid one. Just pointing out there are existing alternatives which might be good enough. OSCP loadbalancer + softfail + checking regularly downloaded CRLs is probably appropriate for the vast majority of people. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
We're at the bottom of the learning curve w.r.t EAP-TLS but on the way to the fish and chip shop this lunchtime did come to the same conclusion that perhaps I was getting over concerned as to what to do in the event of the OCSP server failing. As you said, can't imaging we'll be revoking millions of certificates when we start rolling them out there. Think perhaps I'll use the softfail ... :-)) A On 1 April 2016 at 12:35, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Fri, Apr 01, 2016 at 12:22:48PM +0100, Alex Sharaz wrote:
Yup but as it says
# Warning: this may enable clients with revoked # certificates to connect if the OCSP responder is not # available. Use with caution. # Think I'd rather have ability to try another OCSP server at this point.
It took me less than two minutes thought here to realise that we'd never revoked a certificate, so the likelihood of the server going down was more than worrying that someone with a revoked cert was going to get in. Hence writing the softfail code...
But not doubting your feature request is a valid one. Just pointing out there are existing alternatives which might be good enough. OSCP loadbalancer + softfail + checking regularly downloaded CRLs is probably appropriate for the vast majority of people.
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Alex Sharaz -
Arran Cudbard-Bell -
Matthew Newton