OCSP parsing in client certificate
Dear all, I have a small/big issue and I cannot find a good solution for that. Scenario: iPhones with certificates from internal PKI, joining a Wi-Fi network protected by WPA2-Enterprise authenticating against a Freeradius server v. 2.1.12 (Redhat 6.3). The radius server has as well an internal PKI certificate and the authentication used is EAP-TLS. No CRL/OCSP implementation on the first stage. Everything is working fine, the mobile device is configure to accept the radius certificate and the peers can therefore mutually authenticate each other. I then configured a Microsoft OCSP array to implement client certificate status checking on the radius server. When "override_cert_url = yes" in the OCSP section in eap.conf is configured to override the responder URL, everything is fine and radius get correct responses, [tls] --> verify return:1 [tls] --> Starting OCSP Request [ocsp] --> Responder URL = http://crl.ema.europa.eu:80/ocsp [ocsp] --> Response status: successful This Update: Apr 16 09:50:00 2013 GMT Next Update: Apr 17 22:10:00 2013 GMT [oscp] --> Cert status: good [ocsp] --> Certificate is valid! [tls] chain-depth=0, but when I try to remove this feature and use the OCSP property extracted from the client certificate, the radiusd -X output is: [tls] --> Starting OCSP Request [ocsp] --> Responder URL = http://(null):(null)(null) Error: Couldn't get OCSP response [ocsp] --> Certificate has been expired/revoked! [tls] chain-depth=0, [tls] error=0 I don't know if the problem is the client certificate or how Radius parse it. I this can help to understand, the output of: openssl x509 -in beltraminif.cer -noout -ocspid -ocsp_uri > http://crl.ema.europa.eu/ocsp (which is the correct url) Any input is really appreciated. Regards, Francesco Beltramini ________________________________________________________________________ This e-mail has been scanned for all known viruses by European Medicines Agency. ________________________________________________________________________
Beltramini Francesco wrote:
I have a small/big issue and I cannot find a good solution for that. Scenario: iPhones with certificates from internal PKI, joining a Wi-Fi network protected by WPA2-Enterprise authenticating against a Freeradius server v. 2.1.12 (Redhat 6.3). ... but when I try to remove this feature and use the OCSP property extracted from the client certificate, the radiusd -X output is:
[tls] --> Starting OCSP Request [ocsp] --> Responder URL = http://(null):(null)(null)
From the v2.2.0 change log: * Skip OCSP if there's no host / port / url, with soft_fail Upgrade. Alan DeKok.
On Tue, Apr 16, 2013 at 04:30:18PM -0400, Alan DeKok wrote:
Beltramini Francesco wrote:
but when I try to remove this feature and use the OCSP property extracted from the client certificate, the radiusd -X output is:
[tls] --> Starting OCSP Request [ocsp] --> Responder URL = http://(null):(null)(null)
From the v2.2.0 change log:
* Skip OCSP if there's no host / port / url, with soft_fail
Hmm - I'm not sure if the override_cert_url = no code works correctly - I seem to remember I had problems with it, but I just set it to yes and forced the server anyway, as it seemed better than trusting the client-provided cert (our setup is private CA, so I know what the OCSP server is). I think I saw the same - that it wouldn't extract the URL from the cert, and just came back with (null)s. As usual, I just blamed OpenSSL and moved on. If I get a chance, I'll try and check it again. soft_fail will allow the auth to succeed in the event that there is no response (rather than a negative response) from the OCSP server - otherwise it "fails safe" and rejects the request. It's in case the OCSP server happens to be down for some reason.
Upgrade.
Always the right thing anyway :-) Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Thanks for your feedback. I don't think either that the override_cert_url = no works properly since the ocsp extension in the client certificate is not parsed anyway. Alan: does the change log refer to certificates without the proper extensions defined ? Because my situation is slightly different, the clients present a certificate that does contain the OCSP properties. Thanks and Regards, Francesco Beltramini -----Original Message----- From: freeradius-users-bounces+francesco.beltramini=ema.europa.eu@lists.freeradius.org [mailto:freeradius-users-bounces+francesco.beltramini=ema.europa.eu@lists.freeradius.org] On Behalf Of Matthew Newton Sent: 16 April 2013 21:56 To: FreeRadius users mailing list Subject: Re: OCSP parsing in client certificate On Tue, Apr 16, 2013 at 04:30:18PM -0400, Alan DeKok wrote:
Beltramini Francesco wrote:
but when I try to remove this feature and use the OCSP property extracted from the client certificate, the radiusd -X output is:
[tls] --> Starting OCSP Request [ocsp] --> Responder URL = http://(null):(null)(null)
From the v2.2.0 change log:
* Skip OCSP if there's no host / port / url, with soft_fail
Hmm - I'm not sure if the override_cert_url = no code works correctly - I seem to remember I had problems with it, but I just set it to yes and forced the server anyway, as it seemed better than trusting the client-provided cert (our setup is private CA, so I know what the OCSP server is). I think I saw the same - that it wouldn't extract the URL from the cert, and just came back with (null)s. As usual, I just blamed OpenSSL and moved on. If I get a chance, I'll try and check it again. soft_fail will allow the auth to succeed in the event that there is no response (rather than a negative response) from the OCSP server - otherwise it "fails safe" and rejects the request. It's in case the OCSP server happens to be down for some reason.
Upgrade.
Always the right thing anyway :-) Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________________________________________________ This e-mail has been scanned for all known viruses by European Medicines Agency. ________________________________________________________________________
Beltramini Francesco wrote:
Alan: does the change log refer to certificates without the proper extensions defined ? Because my situation is slightly different, the clients present a certificate that does contain the OCSP properties.
See the debug log. OpenSSL doesn't think so. It was showing "(null)" for the various OCSP fields. Alan DeKok.
Ok I see what you mean. However, in my first mail I've also specified that: openssl x509 -in beltraminif.cer -noout -ocspid -ocsp_uri returns http://crl.ema.europa.eu/ocsp (which is the correct url) Do you know what kind of parsing is radius asking to openssl ? Thanks, Francesco Beltramini -----Original Message----- From: freeradius-users-bounces+francesco.beltramini=ema.europa.eu@lists.freeradius.org [mailto:freeradius-users-bounces+francesco.beltramini=ema.europa.eu@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 19 April 2013 13:04 To: FreeRadius users mailing list Subject: Re: OCSP parsing in client certificate Beltramini Francesco wrote:
Alan: does the change log refer to certificates without the proper extensions defined ? Because my situation is slightly different, the clients present a certificate that does contain the OCSP properties.
See the debug log. OpenSSL doesn't think so. It was showing "(null)" for the various OCSP fields. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________________________________________________ This e-mail has been scanned for all known viruses by European Medicines Agency. ________________________________________________________________________
Beltramini Francesco wrote:
Ok I see what you mean. However, in my first mail I've also specified that:
openssl x509 -in beltraminif.cer -noout -ocspid -ocsp_uri returns http://crl.ema.europa.eu/ocsp (which is the correct url)
Do you know what kind of parsing is radius asking to openssl ?
The normal OpenSSL certificate parsing. We didn't implement OpenSSL, and we don't know a lot about it. If OpenSSL says there's no OCSP information in the certs, it's an OpenSSL issue. Alan DeKok.
Thanks for the explanation. I know that you didn't implement openssl :-), however, as I said and running it manually, openssl does say that there is OCSP information on the certificate. [root@host ~]# openssl x509 -in beltraminif.cer -noout -ocspid -ocsp_uri returns the correct value http://crl.ema.europa.eu/ocsp Thanks, F. -----Original Message----- From: freeradius-users-bounces+francesco.beltramini=ema.europa.eu@lists.freeradius.org [mailto:freeradius-users-bounces+francesco.beltramini=ema.europa.eu@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 19 April 2013 18:31 To: FreeRadius users mailing list Subject: Re: OCSP parsing in client certificate Beltramini Francesco wrote:
Ok I see what you mean. However, in my first mail I've also specified that:
openssl x509 -in beltraminif.cer -noout -ocspid -ocsp_uri returns http://crl.ema.europa.eu/ocsp (which is the correct url)
Do you know what kind of parsing is radius asking to openssl ?
The normal OpenSSL certificate parsing. We didn't implement OpenSSL, and we don't know a lot about it. If OpenSSL says there's no OCSP information in the certs, it's an OpenSSL issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________________________________________________ This e-mail has been scanned for all known viruses by European Medicines Agency. ________________________________________________________________________
participants (3)
-
Alan DeKok -
Beltramini Francesco -
Matthew Newton