EAP-TLS CRL checking when multiple CAs used
Martin Čmelík
martin.cmelik at gmail.com
Mon Nov 14 10:18:25 CET 2011
Hi,
nobody knows how setup freeradius to check new CRL lists? Should I
provide more information (it is not easy to take output from radiusd
-X, but if it is essential I can try it)?
Thank you for any suggestion
—
Martin Čmelík
2011/11/10 Martin Čmelík <martin.cmelik at gmail.com>:
> Hi,
>
> I downloaded current stable freeradius version 2.1.12 and import
> configuration from old server (rewrite etc/raddb).
> Everything seems to be OK, but I must now add another two trusted CAs
> into ca.pem and also enable checking against CRL files as for other.
>
> Lets say that eap.conf is setup by default:
>
> tls {
> certdir = ${confdir}/certs
> cadir = ${confdir}/certs
> private_key_password = whatever
> private_key_file = ${certdir}/server.pem
> certificate_file = ${certdir}/server.pem
> CA_file = ${cadir}/ca.pem
> dh_file = ${certdir}/dh
> random_file = ${certdir}/random
> check_crl = yes
> CA_path = ${cadir}
> cipher_list = "DEFAULT"
> make_cert_command = "${certdir}/bootstrap"
> ecdh_curve = "prime256v1"
> cache {
> enable = no
> max_entries = 255
> }
> verify {
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://127.0.0.1/ocsp/"
> }
>
> One of our script downloading CRL files every 20 minutes, move them to
> certs directory and c_rehash them.
>
> It works for old certificates (4x CAs) but doesn't work for two which I add now.
>
> When somebody with certificate issued by new CA try to login I see
> this error in log:
>
> Thu Nov 10 12:56:51 2011 : Error: --> verify error:num=3:unable to get
> certificate CRL
> Thu Nov 10 12:56:51 2011 : Auth: Login incorrect (unable to get
> certificate CRL): [John Smith] (from client some-device port 29 cli
> AA-BB-CC-DD-EE-FF)
>
> Hash are generated well:
>
> lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 21e0d39d.r0 -> crl3.pem
> lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 3cc8c9a0.r0 -> crl6.pem
> lrwxrwxrwx 1 radius radius 20 Nov 10 16:19 5a64316f.0 -> radius.crt
> lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 5be750ed.r0 -> crl2.pem
> lrwxrwxrwx 1 radius radius 20 Nov 10 16:19 68db0f86.0 -> radius.pem
> lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 92b2a332.r0 -> crl5.pem
> lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 b0f3e76e.r0 -> crl4.pem
> lrwxrwxrwx 1 radius radius 8 Nov 10 16:19 f31b716b.r0 -> crl1.pem
> lrwxrwxrwx 1 radius radius 6 Nov 10 16:19 f6efabfa.0 -> ca.pem
>
> ...
>
> My question is: How freeradius find correct CRL list and check if user
> certificate is still valid?
>
> This radius server has been setup by colleague many years ago and he
> cant remember how he do this :]
>
> Thank you very much because there is lack of any information about it
> on Internet
>
> —
> Martin Čmelík
>
More information about the Freeradius-Users
mailing list