EAP-TLS CRL problem - a PKIX guru around?

tsouk tsouk.n at gmail.com
Wed Jan 20 16:12:06 CET 2016


Hi Stefan,

Had some CRL problems back in the day, with Apache 2.2 and Apache 2.4
behaving differently (I believe the change is in Apache 2.3, and I will
have a whole blog post about this in the BBC internet blog soon).

Have a look at the RFC (), under "6.3.3. CRL Processing", specifically:

(b)  Verify the issuer and scope of the complete CRL as follows:

         ...

         (2)  If the complete CRL includes an issuing distribution point
              (IDP) CRL extension, check the following:

            (i)   If the distribution point name is present in the IDP
                  CRL extension and the distribution field is present in
                  the DP, then verify that one of the names in the IDP
                  matches one of the names in the DP.  If the
                  distribution point name is present in the IDP CRL
                  extension and the distribution field is omitted from
                  the DP, then verify that one of the names in the IDP
                  matches one of the names in the cRLIssuer field of the
                  DP.


So I think this, in your CRL:

             X509v3 Issuing Distrubution Point:
                Full Name:
                  URI:https://www.restena.lu/restena-staffauth.crl

...and this in your Cert...

             X509v3 CRL Distribution Points:

                Full Name:
                  URI:https://www.restena.lu/ca/restena-root.crl

...might have to match.

Let me know if this helps!
Nikos


More information about the Freeradius-Users mailing list