dynamic CRL
Travis Dimmig
tdimmig at impulse.com
Thu Aug 11 20:46:28 CEST 2011
> Travis Dimmig wrote:
> > Apologies ahead of time if this information is easily available
> > somewhere else, but everything I found seemed to be a few years out of
> > date. Does freeRadius now have the ability to re-read a certificate
> > revocation list, or does it still require a restart after additions to
> > the CRL?
>
> FreeRADIUS uses OpenSSL for all SSL related things. OpenSSL doesn't re-
> load CRLs dynamically.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
OpenSSL does provide a way of outputting the crl to a pem file, though, for instance. Would it not be possible to point freeRadius to such a file and have it either monitor for changes or re-read when attempting a certificate based authentication? A user would be responsible for re-generating that file when a new certificate is revoked, but freeRadius would not have to be restarted.
If this question is off the mark, it is probably because I don't know how freeRadius interacts with OpenSSL for certification validation. Can you explain to me how freeRadius currently checks if a certificate is valid or revoked?
Travis
More information about the Freeradius-Users
mailing list