[RP #2160] EAP-TLS | OCSP with Intermediate CA
Isaac Boukris
iboukris at gmail.com
Thu Jan 18 02:11:22 CET 2018
Hello,
Following up on the pull-request. The scenario I am testing is when a
client issue a certificate from a sub-ca which is not trusted (ca_file
only points to root CA).
In such case, the client must send its issuer certificate along in
order to complete the chain and get verified.
This works ok, however the OCSP verification is skipped in such case
because we fail get issuer certificate (even if softfail is no).
The first patch fix the above and treats this error as a soft failure.
The second one attempts to get the issuer-certificate differently
which works for this scenario (where the issuer isn't trusted).
Note that eapol_test, unlike some other supplicants, doesn't send all
the certificates from the client_cert file.
However, it can be done with a little patch as follows:
# git diff
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index ce73848..d180343 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2653,10 +2653,9 @@ static int tls_connection_client_cert(struct
tls_connection *conn,
return 0;
}
- if (SSL_use_certificate_file(conn->ssl, client_cert,
- SSL_FILETYPE_PEM) == 1) {
+ if (SSL_use_certificate_chain_file(conn->ssl, client_cert)) {
ERR_clear_error();
- wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (PEM)"
+ wpa_printf(MSG_DEBUG, "OpenSSL:
SSL_use_certificate_chain_file (PEM)"
" --> OK");
return 0;
Configuration example:
network={
ssid="1x-test"
key_mgmt=IEEE8021X
eap=TLS
identity="bob"
ca_cert="freeradius_ca_cert"
client_cert="client_cert_and_issuer"
private_key="key"
private_key_passwd="pwd"
eapol_flags=3
}
Thanks,
Isaac B.
More information about the Freeradius-Users
mailing list