EAP/TLS OCSP Extention

Alex Bergmann alex at linlab.net
Fri Nov 19 02:16:12 CET 2010

Hi everyone!

Back in 2004 I've finished my diploma thesis covering OCSP integration 
in the EAP/TLS module of freeRADIUS. Unfortunately I never posted the 
patch. To get this burden off me, I've dug through the code again, did 
some final adjustment and just finished the patch for the v2.1.x branch.

The functionality is quite simple. After a user certificate is validated 
correctly it is possible to check the current status as well against an 
OCSP responder. Here's the debug output.

[tls] --> verify return:1
[tls] --> Starting OCSP Request
[ocsp] --> Resonder URL =
[ocsp] --> Certificate is valid!

I've added a new subsection inside the eap/tls configuration that makes 
it able to set the following settings. (A detailed description can be 
found in the patch.)

ocsp {
	check_ocsp = yes
	define_ocsp_responder = yes
	ocsp_url = ""

I'm aware that the EAP/TLS module was extended with a verify section 
that states OCSP explicitly. Nevertheless I would like to see this 
functionality implemented directly into the rlm_eap_tls module.

Please feel free to comment on the code and on this feature in general. 
I'm happy about any feedback!

Best regards,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeradius-server-v2.1.x-eap-tls-ocsp.patch
Type: text/x-patch
Size: 10871 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20101119/e235fb29/attachment.bin>

More information about the Freeradius-Devel mailing list