OCSP failure with nonce - patch for option use_nonce

Matthew Newton mcn4 at leicester.ac.uk
Thu Jan 12 21:09:19 CET 2012


Testing OCSP today, it took a while to realise that the server
didn't support nonce, but freeradius always sends it. This meant
all OCSP requests were rejected as 'unauthorised'.

It turns out that the MS Certificate Services responder ships with
nonce support disabled, but it can be enabled, which did fix our
issue. However reading around the web it sounds like there are
responders out there that can't cope with nonce.

So here's a patch that adds a new option to the OCSP settings,
'use_nonce', which defaults to yes. Tested here (v2.1.x branch)
and it means that the certificate validation will still work if
the server can't understand nonce.

Obviously there's an increased chance of a replay attack with it
disabled, so I added a warning to the config that recommends not
turning it off unless necessary.

Patch for v2.1.x branch:

and against master (untested, I confess):

It looks sane to me, and works, but probably needs eyeballing by
someone with openssl knowledge to ensure I haven't done something



Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Devel mailing list