EAP/TLS OCSP Extention
Alex Bergmann
alex at linlab.net
Fri Nov 19 02:16:12 CET 2010
Hi everyone!
Back in 2004 I've finished my diploma thesis covering OCSP integration
in the EAP/TLS module of freeRADIUS. Unfortunately I never posted the
patch. To get this burden off me, I've dug through the code again, did
some final adjustment and just finished the patch for the v2.1.x branch.
The functionality is quite simple. After a user certificate is validated
correctly it is possible to check the current status as well against an
OCSP responder. Here's the debug output.
[tls] --> verify return:1
[tls] --> Starting OCSP Request
[ocsp] --> Resonder URL = http://127.0.0.1:80/ocsp/
[ocsp] --> Certificate is valid!
I've added a new subsection inside the eap/tls configuration that makes
it able to set the following settings. (A detailed description can be
found in the patch.)
ocsp {
check_ocsp = yes
define_ocsp_responder = yes
ocsp_url = "http://127.0.0.1/ocsp/"
}
I'm aware that the EAP/TLS module was extended with a verify section
that states OCSP explicitly. Nevertheless I would like to see this
functionality implemented directly into the rlm_eap_tls module.
Please feel free to comment on the code and on this feature in general.
I'm happy about any feedback!
Best regards,
Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeradius-server-v2.1.x-eap-tls-ocsp.patch
Type: text/x-patch
Size: 10871 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20101119/e235fb29/attachment.bin>
More information about the Freeradius-Devel
mailing list