EAP-TLS CRL checking when multiple CAs used

Martin Čmelík martin.cmelik at gmail.com
Thu Nov 10 17:36:29 CET 2011 

Hi,

I downloaded current stable freeradius version 2.1.12 and import
configuration from old server (rewrite etc/raddb).
Everything seems to be OK, but I must now add another two trusted CAs
into ca.pem and also enable checking against CRL files as for other.

Lets say that eap.conf is setup by default:

                tls {
                        certdir = ${confdir}/certs
                        cadir = ${confdir}/certs
                        private_key_password = whatever
                        private_key_file = ${certdir}/server.pem
                        certificate_file = ${certdir}/server.pem
                        CA_file = ${cadir}/ca.pem
                        dh_file = ${certdir}/dh
                        random_file = ${certdir}/random
                        check_crl = yes
                        CA_path = ${cadir}
                        cipher_list = "DEFAULT"
                        make_cert_command = "${certdir}/bootstrap"
                        ecdh_curve = "prime256v1"
                        cache {
                              enable = no
                              max_entries = 255
                        }
                        verify {
                        }
                        ocsp {
                              enable = no
                              override_cert_url = yes
                              url = "http://127.0.0.1/ocsp/"
                        }

One of our script downloading CRL files every 20 minutes, move them to
certs directory and c_rehash them.

It works for old certificates (4x CAs) but doesn't work for two which I add now.

When somebody with certificate issued by new CA try to login I see
this error in log:

Thu Nov 10 12:56:51 2011 : Error: --> verify error:num=3:unable to get
certificate CRL
Thu Nov 10 12:56:51 2011 : Auth: Login incorrect (unable to get
certificate CRL): [John Smith] (from client some-device port 29 cli
AA-BB-CC-DD-EE-FF)

Hash are generated well:

lrwxrwxrwx 1 radius radius      8 Nov 10 16:19 21e0d39d.r0 -> crl3.pem
lrwxrwxrwx 1 radius radius      8 Nov 10 16:19 3cc8c9a0.r0 -> crl6.pem
lrwxrwxrwx 1 radius radius     20 Nov 10 16:19 5a64316f.0 -> radius.crt
lrwxrwxrwx 1 radius radius      8 Nov 10 16:19 5be750ed.r0 -> crl2.pem
lrwxrwxrwx 1 radius radius     20 Nov 10 16:19 68db0f86.0 -> radius.pem
lrwxrwxrwx 1 radius radius      8 Nov 10 16:19 92b2a332.r0 -> crl5.pem
lrwxrwxrwx 1 radius radius      8 Nov 10 16:19 b0f3e76e.r0 -> crl4.pem
lrwxrwxrwx 1 radius radius      8 Nov 10 16:19 f31b716b.r0 -> crl1.pem
lrwxrwxrwx 1 radius radius      6 Nov 10 16:19 f6efabfa.0 -> ca.pem

...

My question is: How freeradius find correct CRL list and check if user
certificate is still valid?

This radius server has been setup by colleague many years ago and he
cant remember how he do this :]

Thank you very much because there is lack of any information about it
on Internet

—
Martin Čmelík

More information about the Freeradius-Users mailing list