OCSP parsing in client certificate

Beltramini Francesco Francesco.Beltramini at ema.europa.eu
Fri Apr 19 10:32:24 CEST 2013

Thanks for your feedback. 
I don't think either that the override_cert_url = no works properly since the ocsp extension in the client certificate is not parsed anyway. 
Alan: does the change log refer to certificates without the proper extensions defined ? Because my situation is slightly different, the clients present a certificate that does contain the OCSP properties. 

Thanks and Regards,

Francesco Beltramini

-----Original Message-----
From: freeradius-users-bounces+francesco.beltramini=ema.europa.eu at lists.freeradius.org [mailto:freeradius-users-bounces+francesco.beltramini=ema.europa.eu at lists.freeradius.org] On Behalf Of Matthew Newton
Sent: 16 April 2013 21:56
To: FreeRadius users mailing list
Subject: Re: OCSP parsing in client certificate

On Tue, Apr 16, 2013 at 04:30:18PM -0400, Alan DeKok wrote:
> Beltramini Francesco wrote:
> > but when I try to remove this feature and use the OCSP property 
> > extracted from the client certificate, the radiusd -X output is:
> > 
> > [tls] --> Starting OCSP Request
> > [ocsp] --> Responder URL = http://(null):(null)(null)
>   From the v2.2.0 change log:
> 	* Skip OCSP if there's no host / port / url, with soft_fail

Hmm - I'm not sure if the override_cert_url = no code works correctly - I seem to remember I had problems with it, but I just set it to yes and forced the server anyway, as it seemed better than trusting the client-provided cert (our setup is private CA, so I know what the OCSP server is). I think I saw the same - that it wouldn't extract the URL from the cert, and just came back with (null)s. As usual, I just blamed OpenSSL and moved on.

If I get a chance, I'll try and check it again.

soft_fail will allow the auth to succeed in the event that there is no response (rather than a negative response) from the OCSP server - otherwise it "fails safe" and rejects the request. It's in case the OCSP server happens to be down for some reason.

>   Upgrade.

Always the right thing anyway :-)



Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

This e-mail has been scanned for all known viruses by European Medicines Agency.

More information about the Freeradius-Users mailing list