Hey All, Any body knows how to revoke the certificates? what changes needs to be done in the freeradius eap.conf file. Im trying to do in the way its given in the default config file: Oopenssl command to revoke the ca-certificate: openssl ca -gencrl -keyfile ./privatekey.pem -cert cacert.pem revoke cacert.pem -out crl.pem 1. copied ca & crl to ./ directory( my ca & crl files are in current directory ) 2. c_rehash ./ tls { ... CA_file = ./cacert.pem CA_path = ./ check_crl = yes } Still the server returns success for the user. Any idea ? where am i missing the configuration? Please reply me with your info. Thanks Sumi -- "If u look at what u dont have in life, u dont have anything But if u look at what u have in life, u have everything.....!!" -- "If u look at what u dont have in life, u dont have anything But if u look at what u have in life, u have everything.....!!"
On 6/1/06, sumi thra <sumi.techno@gmail.com> wrote:
Any body knows how to revoke the certificates? what changes needs to be done in the freeradius eap.conf file.
No possible changes there will help you in that purpose. Having said that, I'd like to provide some details I found while digging around out of curiosity. Unless mentioned otherwise I'm speaking of freeradius-1.1.1 (.deb built using released debian subdir) and openssl 0.9.8b (debian/sid). freeradius uses X509_V_FLAG_CRL_CHECK in src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c which will only check a crl for the last entity in a certificate chain according to http://www.mail-archive.com/openssl-users@openssl.org/msg42197.html . I didn't find any spec/rfc/etc that commands this behaviour, but I think of Dr Henson as being quite authoritative on that issue :) So I tested an added (better: ORed) X509_V_FLAG_CRL_CHECK_ALL and got the behaviour the OP wanted: checked crls for (all) CAs in a chain. PEM ones worked. While I'm not convinced that this makes sense for a (explicitly trusted) root-CA (the revoked-to-be cert signs the revocation) I do see a valid use case for honoring revoked intermediate CAs. Despite RFC2716 6.1 speaking about revoked client certificates only, I think it would be desirable to incorporate the rationale behind the whole TLS stuff (RFC2246 D.3). Up to now I didn't look much further for updated/contradicting related specifications. Any hints? A quick look into 1.1.2 left me with the impression that nothing would prevent the same modification there. But before eventually filing some wishlist bug with a more detailed patch, I'd like to read some comments on the whole issue, esp. concerning the following:
openssl ca -gencrl -keyfile ./privatekey.pem -cert cacert.pem revoke cacert.pem -out crl.pem
Not sure what OP is exactly doing here. Presuming X509_V_FLAG_CRL_CHECK_ALL shall be used, should it also honor crls for root CAs (as it would do out of the box)? configurable choice maybe? Furthermore hash-linked crls for all possible CAs must be provided in CA_path otherwise TLS will fail regardless of validity of offered certs.
1. copied ca & crl to ./ directory( my ca & crl files are in current directory ) 2. c_rehash ./
tls { ... CA_file = ./cacert.pem CA_path = ./ check_crl = yes }
I was too lazy to check if relative paths do work here. Checking with absolute ones led to the following caveat: if you combine the needed cr's in one file by concatenating c_rehash does only generate one hashname link by virtue of 'openssl crl [...] -hash' providing only (the first?) one. Adding the appropriately named missing ones manually does work. regards K. Hoercher
I have read over the docs but haven't found a clear way to turn off session tracking. I just want the radius server to give an Accept or Reject for user auth (which I have working with mysql) and not track the session (start/stop records etc...) Thanks Jeremy
Hi, "session tracking" is called - accounting ! the last A in AAA ;) Just empty the accounting { } part in your radiusd.conf file. If your NAS sends accounting info - turn it off ! Regards, Edvin -----Original Message----- From: freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.or g] On Behalf Of Jeremy Ford Sent: Mittwoch, 07. Juni 2006 01:58 To: 'FreeRadius users mailing list' Subject: session tracking I have read over the docs but haven't found a clear way to turn off session tracking. I just want the radius server to give an Accept or Reject for user auth (which I have working with mysql) and not track the session (start/stop records etc...) Thanks Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Jeremy Ford -
K. Hoercher -
Seferovic Edvin -
sumi thra