RADSEC cert validation doesnt seem to work...
Stefan Winter
stefan.winter at restena.lu
Fri Jun 10 14:23:36 CEST 2011
Hi,
great. I used to think I'm avantgarde with my openssl 1.0.0c on openSUSE
11.4. Still, the command-line gives me the same help as yours.
It takes all the fancy arguments from the web documentation though:
openssl verify -verbose -explicit_policy -policy 1.3.5.1 -policy_print
-policy_check -CAfile ./testcert.pem testcert.pem
Require explicit Policy: False
Authority Policies: <empty>
User Policies: <empty>
testcert.pem: OK
swinter at aragorn:~>
But as you see, it ignores the "explicit policy required" and "policy =
1.3.5.1" parameters deliberately. Grr.
Stefan
Am 10.06.2011 14:09, schrieb Alan Buxey:
> Hi,
>
>> The external shell script certificate validation stuff should work.
> should, aye. however, the current openssl 'verify' has the following
>
> openssl verify -help
> usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...
> recognized usages:
> sslclient SSL client
> sslserver SSL server
> nssslserver Netscape SSL server
> smimesign S/MIME signing
> smimeencrypt S/MIME encryption
> crlsign CRL signing
> any Any Purpose
> ocsphelper OCSP helper
>
>
> - this is on latest RHEL release (and therefore CentOS etc) - theres no 'purpose' flag
> like the current 'bleeding edge' OpenSSL manual describes :-(
>
> (i'm thinking of compiling my own local restrained copy to try out leaving the distro
> stuff well-alone)
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20110610/814131c3/attachment.pgp>
More information about the Freeradius-Devel
mailing list