expansion issue in external command

[Alan Buxey]

hi,

in the TLS RADSEC configuration, if I want to use OpenSSL for external
verification (which i cant FULLY do...but still), I get the following
error if I use the ${certdir} expansion - as used all throughout the
rest of the config


WARNING: No such configuration item certdir
/etc/raddb/sites-enabled/tls[252]: Reference "/usr/bin/openssl verify -CAfile ${certdir}/CA.crt -purpose crlsign  %{TLS-Client-Cert-Filename}" not found
Errors reading /etc/raddb/radiusd.conf



there appears to be another issue too... if i say that the cert must be valid for a purpose and its not valid for
the purpose then it passes the test anyway(!)  thats not what I had in mind  ;-)

(0) Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/radsec/CA.crt -purpose crlsign  %{TLS-Client-Cert-Filename}
(0) 	expand: %{TLS-Client-Cert-Filename} -> /etc/raddb/temporary/radiusd.client.XXP6KU60
Exec-Program output: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK 
Exec-Program-Wait: plaintext: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK 
Exec-Program: returned: 0
(0) Client certificate CN server.camford.ac.uk passed external validation


run on the command line I get:


server.lboro.ac.uk-PKI.pem: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.lboro.ac.uk
error 26 at 0 depth lookup:unsupported certificate purpose
OK

...I'm guessing the OK message is the issue here - the command exited OK but the condition certainly isnt.


alan