OCSP parsing in client certificate
Beltramini Francesco
Francesco.Beltramini at ema.europa.eu
Tue Apr 16 17:30:39 CEST 2013
Dear all,
I have a small/big issue and I cannot find a good solution for that.
Scenario:
iPhones with certificates from internal PKI, joining a Wi-Fi network protected by WPA2-Enterprise authenticating against a Freeradius server v. 2.1.12 (Redhat 6.3). The radius server has as well an internal PKI certificate and the authentication used is EAP-TLS.
No CRL/OCSP implementation on the first stage. Everything is working fine, the mobile device is configure to accept the radius certificate and the peers can therefore mutually authenticate each other.
I then configured a Microsoft OCSP array to implement client certificate status checking on the radius server.
When "override_cert_url = yes" in the OCSP section in eap.conf is configured to override the responder URL, everything is fine and radius get correct responses,
[tls] --> verify return:1
[tls] --> Starting OCSP Request
[ocsp] --> Responder URL = http://crl.ema.europa.eu:80/ocsp
[ocsp] --> Response status: successful
This Update: Apr 16 09:50:00 2013 GMT
Next Update: Apr 17 22:10:00 2013 GMT
[oscp] --> Cert status: good
[ocsp] --> Certificate is valid!
[tls] chain-depth=0,
but when I try to remove this feature and use the OCSP property extracted from the client certificate, the radiusd -X output is:
[tls] --> Starting OCSP Request
[ocsp] --> Responder URL = http://(null):(null)(null)
Error: Couldn't get OCSP response
[ocsp] --> Certificate has been expired/revoked!
[tls] chain-depth=0,
[tls] error=0
I don't know if the problem is the client certificate or how Radius parse it. I this can help to understand, the output of:
openssl x509 -in beltraminif.cer -noout -ocspid -ocsp_uri > http://crl.ema.europa.eu/ocsp (which is the correct url)
Any input is really appreciated.
Regards,
Francesco Beltramini
________________________________________________________________________
This e-mail has been scanned for all known viruses by European Medicines Agency.
________________________________________________________________________
More information about the Freeradius-Users
mailing list