EAP-TLS CRL checking when multiple CAs used

Martin Čmelík martin.cmelik at gmail.com
Mon Nov 14 10:18:25 CET 2011


Hi,

nobody knows how setup freeradius to check new CRL lists? Should I
provide more information (it is not easy to take output from radiusd
-X, but if it is essential I can try it)?

Thank you for any suggestion

—
Martin Čmelík





2011/11/10 Martin Čmelík <martin.cmelik at gmail.com>:
> Hi,
>
> I downloaded current stable freeradius version 2.1.12 and import
> configuration from old server (rewrite etc/raddb).
> Everything seems to be OK, but I must now add another two trusted CAs
> into ca.pem and also enable checking against CRL files as for other.
>
> Lets say that eap.conf is setup by default:
>
>                tls {
>                        certdir = ${confdir}/certs
>                        cadir = ${confdir}/certs
>                        private_key_password = whatever
>                        private_key_file = ${certdir}/server.pem
>                        certificate_file = ${certdir}/server.pem
>                        CA_file = ${cadir}/ca.pem
>                        dh_file = ${certdir}/dh
>                        random_file = ${certdir}/random
>                        check_crl = yes
>                        CA_path = ${cadir}
>                        cipher_list = "DEFAULT"
>                        make_cert_command = "${certdir}/bootstrap"
>                        ecdh_curve = "prime256v1"
>                        cache {
>                              enable = no
>                              max_entries = 255
>                        }
>                        verify {
>                        }
>                        ocsp {
>                              enable = no
>                              override_cert_url = yes
>                              url = "http://127.0.0.1/ocsp/"
>                        }
>
> One of our script downloading CRL files every 20 minutes, move them to
> certs directory and c_rehash them.
>
> It works for old certificates (4x CAs) but doesn't work for two which I add now.
>
> When somebody with certificate issued by new CA try to login I see
> this error in log:
>
> Thu Nov 10 12:56:51 2011 : Error: --> verify error:num=3:unable to get
> certificate CRL
> Thu Nov 10 12:56:51 2011 : Auth: Login incorrect (unable to get
> certificate CRL): [John Smith] (from client some-device port 29 cli
> AA-BB-CC-DD-EE-FF)
>
> Hash are generated well:
>
> lrwxrwxrwx 1 radius radius      8 Nov 10 16:19 21e0d39d.r0 -> crl3.pem
> lrwxrwxrwx 1 radius radius      8 Nov 10 16:19 3cc8c9a0.r0 -> crl6.pem
> lrwxrwxrwx 1 radius radius     20 Nov 10 16:19 5a64316f.0 -> radius.crt
> lrwxrwxrwx 1 radius radius      8 Nov 10 16:19 5be750ed.r0 -> crl2.pem
> lrwxrwxrwx 1 radius radius     20 Nov 10 16:19 68db0f86.0 -> radius.pem
> lrwxrwxrwx 1 radius radius      8 Nov 10 16:19 92b2a332.r0 -> crl5.pem
> lrwxrwxrwx 1 radius radius      8 Nov 10 16:19 b0f3e76e.r0 -> crl4.pem
> lrwxrwxrwx 1 radius radius      8 Nov 10 16:19 f31b716b.r0 -> crl1.pem
> lrwxrwxrwx 1 radius radius      6 Nov 10 16:19 f6efabfa.0 -> ca.pem
>
> ...
>
> My question is: How freeradius find correct CRL list and check if user
> certificate is still valid?
>
> This radius server has been setup by colleague many years ago and he
> cant remember how he do this :]
>
> Thank you very much because there is lack of any information about it
> on Internet
>
>> Martin Čmelík
>




More information about the Freeradius-Users mailing list