Issue with intermediate CAs

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Jun 22 22:45:06 CEST 2015


> On Jun 22, 2015, at 3:57 PM, Alan DeKok <aland at deployingradius.com> wrote:
> 
>  We had a CVE issued today:  http://www.ocert.org/advisories/ocert-2015-008.html
> 
>  OpenSSL doesn't check intermediate CAs for expiry when setting the "check CRL" flag.  You need to set another flag saying "I really mean check ALL of the CRLs".  FreeRADIUS didn't set that flag.
> 
>  The impact for 99% of people is nothing.  In order to be vulnerable, you have to have all of the following in the configuration:
> 
> 1) the RADIUS system has to use a public CA
> 
> 2) use an intermediate CA to issue client certificates
> 
> 3) enable EAP-TLS
> 
>  Most people don't have EAP-TLS enabled.  A small number of people might be using an intermediate CA.  A vanishingly small number of people will be using a public CA for RADIUS.
> 
>  Using a public CA is a *terrible* idea.  We have been recommending against it for years.
> 
>  The problem got a CERT advisory issued because technically it is a security bug, and the original person who reporting it didn't want to contact security at freeradius.org.
> 
>  We'll get 2.2.8 and 3.0.9 out soon.  In the mean time, most people can ignore this issue.

Just to clarify. This will likely only effect you if you got an intermediary CA from a public CA, then used that to sign certificates that you distributed to your clients.

You should generally never do this.

-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150622/cd4ec646/attachment.sig>


More information about the Freeradius-Users mailing list