suddenly problem with certificates / error in SSLv3 read client certificate B

John Dennis jdennis at redhat.com
Wed Jan 23 20:58:29 CET 2013


On 01/23/2013 01:53 PM, Stephan Manske wrote:

> IMHO these patch
> https://github.com/FreeRADIUS/freeradius-server/commit/2d3f119cd8d9e99028f968db1ee108eb6f05db09#raddb/certs/Makefile
>
> with
>
> +ca.key ca.pem: ca.cnf index.txt serial
>
> makes ca.key dependant to the date of index.txt and serial
>
> Both files are updated every time a new client cert is build. IMHO.

Good catch! Yes, every time you generate a client cert both the database 
(index.txt) and the serial number file are updated. The database file 
keeps a record of every cert issued by the CA. The serial file is used 
so the CA knows the next serial number to use.

The cert generation only works once, the next client cert issue causes a 
new CA key/cert to be generated.

But there is another problem as well. The client.cnf file embeds the 
cert subject name. Apparently the openssl ca command will not update the 
database if there already is a cert with the same subject, which there 
will be unless you edit the client.cnf file. This causes the ca command 
to fail. It doesn't matter if the cert with the duplicate subject has a 
different serial number.

As for why in different circumstances you've seen openssl emit the error 
about incomplete data my best guess is the client files might have be 
corrupted when the ca command failed. If it were only a CA key change 
issue you should have just gotten a bad signature verification failure.

HTH,

John


-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/


More information about the Freeradius-Users mailing list