EAP-TLS, session resumption and OCSP

Alan DeKok aland at deployingradius.com
Fri Mar 3 13:12:20 CET 2017

On Mar 3, 2017, at 4:34 AM, Stefan Winter <stefan.winter at restena.lu> wrote:
> One of the things we observed is that if an authentication uses TLS
> session resumption, the server does not re-check the OCSP state of the
> client cert that was used to login initially.

  Yes.  The OCSP checks are done in an OpenSSL callback when the certificate is first received.  During session resumption there's no certificate used, so no OpenSSL callback.

> Looking at the TLS-Client-Cert-* attributes which get restored from
> session cache, it looks like it could be easy to do that though - the
> serial number of the cert is saved; and the OCSP responder URL maybe
> isn't but could be. And with both pieces of information, another OCSP
> check can be run even on a resumed session.


> A related question: how is the cache lifetime determined? When config
> sets it to 24 hours, is that 24 hours after the initial, full,
> authentication, or is that lifetime refreshed with every re-auth,
> meaning the cache expires after 24 hours of non-use?

  The cached session information will expire after 24 hours.  When a session is resumed, the old information is deleted, and a new entry is created.

> If the latter, a revoked user could perpetually prolong his account
> lifetime even if OCSP wouldn't want to let him.

  So long as you keep letting him in, yes.

> Also, something we didn't check but that just now comes to my mind: does
> the server check the expiry time of the cert on a resumed session?

  Hmm... I'll have to check that.  I'm not sure.

  Alan DeKok.

More information about the Freeradius-Users mailing list