revoking ca certificates

K. Hoercher wbhoer at gmail.com
Sun Jun 4 15:15:20 CEST 2006


On 6/1/06, sumi thra <sumi.techno at gmail.com> wrote:
> Any body knows how to revoke the certificates?  what changes needs to be
> done in the freeradius eap.conf file.

No possible changes there will help you in that purpose. Having said
that, I'd like to provide some details I found while digging around
out of curiosity.

Unless mentioned otherwise I'm speaking of freeradius-1.1.1 (.deb
built using released debian subdir) and openssl 0.9.8b (debian/sid).
freeradius uses X509_V_FLAG_CRL_CHECK in
src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c which will only
check a crl for the last entity in a certificate chain according to
http://www.mail-archive.com/openssl-users@openssl.org/msg42197.html .

I didn't find any spec/rfc/etc that commands this behaviour, but I
think of Dr Henson as being quite authoritative on that issue :)

So I tested an added (better: ORed) X509_V_FLAG_CRL_CHECK_ALL and got
the behaviour the OP wanted: checked crls for (all) CAs in a chain.
PEM ones worked.

While I'm not convinced that this makes sense for a (explicitly
trusted) root-CA (the revoked-to-be cert signs the revocation) I do
see a valid use case for honoring revoked intermediate CAs. Despite
RFC2716 6.1 speaking about revoked client certificates only, I think
it would be desirable to incorporate the rationale behind the whole
TLS stuff (RFC2246 D.3). Up to now I didn't look much further for
updated/contradicting related specifications. Any hints?

A quick look into 1.1.2 left me with the impression that nothing would
prevent the same modification there. But before eventually filing some
wishlist bug with a more detailed patch, I'd like to read some
comments on the whole issue, esp. concerning the following:

> openssl ca -gencrl -keyfile ./privatekey.pem  -cert  cacert.pem  revoke
> cacert.pem -out crl.pem

Not sure what OP is exactly doing here.
Presuming X509_V_FLAG_CRL_CHECK_ALL shall be used, should it also
honor crls for  root CAs (as it would do out of the box)? configurable
choice maybe?

Furthermore hash-linked crls for all possible CAs must be provided in
CA_path otherwise TLS will fail regardless of validity of offered
certs.

> 1. copied ca & crl to ./ directory( my ca & crl files are in current
> directory )
> 2. c_rehash ./
>
> tls {
> ...
> CA_file = ./cacert.pem
> CA_path = ./
> check_crl = yes
> }

I was too lazy to check if relative paths do work here. Checking with
absolute ones led to the following caveat: if you combine the needed
cr's in one file by concatenating c_rehash does only generate one
hashname link by virtue of 'openssl crl [...] -hash' providing only
(the first?) one. Adding the appropriately named missing ones manually
does work.

regards
K. Hoercher



More information about the Freeradius-Users mailing list