EAP/TLS authentication in 2050

Victor Guk v.guk at zaz.zp.ua
Mon Dec 5 12:54:35 CET 2011


> This error comes from within OpenSSL. FreeRADIUS just does what OpenSSL
> tells it.
>
> Can you verify the cert with the "openssl verify ..." test command? e.g.
> try this:
>
> openssl verify -CAfile ca.pem -purpose sslserver server.pem

freeradius:/usr/local/CA # openssl verify -CAfile cacert.pem -purpose 
sslserver cert-srv.pem
cert-srv.pem: OK

>
> If this fails as well, then it's either a problem in OpenSSL or your
> system libraries with dates>2050. If it succeeds (which I doubt) then
> FreeRADIUS should work too.
>
> I sort of admire your effort to future-proof your certs though! ;o)

> why?
>
> really, why? wat purpose does testing these dates have - you really think
> your current infrastructure, and techologies such as 802.1X are going
> to be around in the same format in even 20 years time?

No, of course  not :)
This is my  curiosity  led me  to test  such  date.

>
> anyway....I'm guessing these are 32 bit server and client OS ?
>
> you may find, in that case, that your tests will work until you set the
> date beyond 2037 - 32bit OS have problems with dates after 2038
>
> so, try this with KNOWN parameters - eg 2020 , within the 2038
> timeframe and things should work.

The server is running SLES 11 SP1 (x86_64), a workstation running 
Windows XP SP3 (32bit). Authentication is successful until February 1, 
2050, ie for example if you logged in December 31, 2049, then the 
authentication is successful.
A little later, try the client computer under the control of 64bit. the 
results announced later.




More information about the Freeradius-Users mailing list