[RP #2160] EAP-TLS | OCSP with Intermediate CA

Isaac Boukris iboukris at gmail.com
Tue Jan 23 19:07:19 CET 2018


On Thu, Jan 18, 2018 at 3:11 AM, Isaac Boukris <iboukris at gmail.com> wrote:
> Hello,
> Following up on the pull-request. The scenario I am testing is when a
> client issue a certificate from a sub-ca which is not trusted (ca_file
> only points to root CA).
> In such case, the client must send its issuer certificate along in
> order to complete the chain and get verified.
> This works ok, however the OCSP verification is skipped in such case
> because we fail get issuer certificate (even if softfail is no).
> The first patch fix the above and treats this error as a soft failure.
> The second one attempts to get the issuer-certificate differently
> which works for this scenario (where the issuer isn't trusted).

Any thoughts on this? I can collect server debug of this flow, before
and after the patches if it helps.


More information about the Freeradius-Users mailing list