EAP-TLS CRL problem - a PKIX guru around?

Stefan Winter stefan.winter at restena.lu
Tue Mar 10 14:47:31 CET 2015 

Hi,

I've just had to revoke a certificate, and thus had to configure 
FreeRADIUS to enable CRL checks. Which went fine, except that while 
checking a valid cert, the CRL checks bark with something I don't 
understand.

It's not entirely a FreeRADIUS question, but ... maybe enough clueful 
EAP-TLS deployers around maybe?

What I see in debug mode is this:

(5760) eap_tls: <<< TLS 1.0 Handshake [length 141a], Certificate 
(5760) eap_tls: TLS Verify adding attributes
(5760) eap_tls:   &request:TLS-Client-Cert-Serial := '010d'
(5760) eap_tls:   &request:TLS-Client-Cert-Expiration := '161028102449Z'
(5760) eap_tls:   &request:TLS-Client-Cert-Subject := '/C=LU/L=Luxembourg/O=Fondation RESTENA/OU=Secretariat/CN=certuser-2016-009 at restena.lu/emailAddress=certuser-2016-009 at restena
.lu'
(5760) eap_tls:   &request:TLS-Client-Cert-Issuer := '/C=LU/L=Luxembourg/O=Fondation RESTENA/CN=RESTENA Staff Authentication CA/emailAddress=admin at restena.lu'
(5760) eap_tls:   &request:TLS-Client-Cert-Common-Name := 'certuser-2016-009 at restena.lu'
ERROR: (5760) eap_tls:   SSL says error 44 : Different CRL scope
(5760) eap_tls: >>> TLS 1.0 Alert [length 0002], fatal certificate_unknown 
ERROR: (5760) eap_tls: TLS Alert write:fatal:certificate unknown
tls: TLS_accept: Error in SSLv3 read client certificate B
ERROR: (5760) eap_tls: SSL says: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.

So... the smoking gun line is "error 44 : Different CRL scope".

Which means exactly nothing to me. The cert is issued by 
TLS-Client-Cert-Issuer := '/C=LU/L=Luxembourg/O=Fondation RESTENA/CN=RESTENA Staff Authentication CA/emailAddress=admin at restena.lu'

and the CRL has:
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: /C=LU/L=Luxembourg/O=Fondation RESTENA/CN=RESTENA Staff Authentication CA/emailAddress=admin at restena.lu
        Last Update: Mar  9 08:57:55 2015 GMT
        Next Update: Mar  6 08:57:55 2025 GMT
        CRL extensions:
            X509v3 Issuer Alternative Name: 
                email:admin at restena.lu
            X509v3 Authority Key Identifier: 
                keyid:4A:16:64:64:0B:AF:01:3D:5F:B4:9E:BB:B0:6D:FE:F2:E9:81:60:4D
                DirName:/C=LU/L=Luxembourg/O=Fondation RESTENA/CN=RESTENA Services CA/emailAddress=admin at restena.lu
                serial:01:00

            X509v3 Issuing Distrubution Point: 
                Full Name:
                  URI:https://www.restena.lu/restena-staffauth.crl

            X509v3 CRL Number: 
                2
Revoked Certificates:
    Serial Number: 0103
        Revocation Date: Mar  9 08:57:15 2015 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code: 
                Affiliation Changed


So, the issuer of the CRL matches the issuer of the cert, and
the CRL only revokes one of its serials, and it's not the
incoming one.

What the ... is openssl complaining about here?

If anyone knows, please enlighten me...

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150310/c74d30ce/attachment-0001.sig>

More information about the Freeradius-Users mailing list