Issue with OCSP check
Antoine JOUBERT
antoine at joubert.ninja
Mon Aug 5 15:01:42 CEST 2019
Hi,
I had setup and got OCSP working with Freeradius in early 2016. However,
I've recently noticed that it's not working anymore, as users with a
revoked certificate are still able to connect to the network due to
softfail being enabled.
I'm using the Debian Stretch package of Freeradius :
freeradius -v
radiusd: FreeRADIUS Version 3.0.12, for host x86_64-pc-linux-gnu, built
on Aug 10 2017 at 07:05:06
FreeRADIUS Version 3.0.12
Our company is using its own PKI, managed with EasyRSA. Every user
certificate is signed directly with our CA certificate.
Here's our TLS configuration for the EAP module :
tls-config tls-common {
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.crt
ca_file = ${cadir}/ca.crt
dh_file = ${certdir}/dh2048.pem
ca_path = ${cadir}
check_cert_issuer =
"/C=EU/ST=SomeState/L=SomeCity/O=MyCompany/OU=Internal/CN=MyCA/name=EasyRSA/emailAddress=<redacted>"
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
[...]
}
verify {
[...]
}
ocsp {
enable = yes
override_cert_url = yes
url = "http://mycompany.local/ocsp"
use_nonce = yes
timeout = 0
softfail = yes
}
}
When starting Freeradius in debug mode, I'm getting the following error :
(7) eap_tls: Continuing EAP-TLS
(7) eap_tls: Got final TLS record fragment (284 bytes)
(7) eap_tls: [eaptls verify] = ok
(7) eap_tls: Done initial handshake
(7) eap_tls: TLS_accept: SSLv3/TLS write server done
(7) eap_tls: <<< recv TLS 1.2 [length 0a78]
(7) eap_tls: Creating attributes from certificate OIDs
(7) eap_tls: TLS-Cert-Serial := "9de69ecd874173d2"
(7) eap_tls: TLS-Cert-Expiration := "251220162210Z"
(7) eap_tls: TLS-Cert-Subject :=
"/C=EU/ST=SomeState/L=SomeCity/O=MyCompany/OU=Internal/CN=MyCA/name=EasyRSA/emailAddress=<redacted>"
(7) eap_tls: TLS-Cert-Issuer :=
"/C=EU/ST=SomeState/L=SomeCity/O=MyCompany/OU=Internal/CN=MyCA/name=EasyRSA/emailAddress=<redacted>"
(7) eap_tls: TLS-Cert-Common-Name := "Nameshield CA"
(7) eap_tls: Creating attributes from certificate OIDs
(7) eap_tls: TLS-Client-Cert-Serial := "011b"
(7) eap_tls: TLS-Client-Cert-Expiration := "290128160026Z"
(7) eap_tls: TLS-Client-Cert-Subject :=
"/C=EU/ST=SomeState/L=SomeCity/O=MyCompany/OU=Internal/CN=user/name=EasyRSA/emailAddress=<redacted>"
(7) eap_tls: TLS-Client-Cert-Issuer :=
"/C=EU/ST=SomeState/L=SomeCity/O=MyCompany/OU=Internal/CN=MyCA/name=EasyRSA/emailAddress=<redacted>"
(7) eap_tls: TLS-Client-Cert-Common-Name := "user"
(7) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "user"
(7) eap_tls: TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(7) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "<redacted>"
(7) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"keyid:<redacted>\nDirName:/C=EU/ST=SomeState/L=SomeCity/O=Nameshield/OU=Internal/CN=MyCA/name=EasyRSA/emailAddress=<redacted>\nse"
(7) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web
Client Authentication"
(7) eap_tls: Starting OCSP Request
*(7) eap_tls: ERROR: Couldn't get issuer_cert for user*
(7) eap_tls: TLS_accept: SSLv3/TLS read client certificate
(7) eap_tls: <<< recv TLS 1.2 [length 0046]
(7) eap_tls: TLS_accept: SSLv3/TLS read client key exchange
(7) eap_tls: <<< recv TLS 1.2 [length 0108]
(7) eap_tls: TLS_accept: SSLv3/TLS read certificate verify
(7) eap_tls: TLS_accept: SSLv3/TLS read change cipher spec
(7) eap_tls: <<< recv TLS 1.2 [length 0010]
(7) eap_tls: TLS_accept: SSLv3/TLS read finished
(7) eap_tls: >>> send TLS 1.2 [length 0001]
(7) eap_tls: TLS_accept: SSLv3/TLS write change cipher spec
(7) eap_tls: >>> send TLS 1.2 [length 0010]
(7) eap_tls: TLS_accept: SSLv3/TLS write finished
(7) eap_tls: (other): SSL negotiation finished successfully
(7) eap_tls: SSL Connection Established
(7) eap_tls: [eaptls process] = handled
(7) eap: Sending EAP Request (code 1) ID 9 length 61
(7) eap: EAP session adding &reply:State = 0xbef729bab9fe249e
After looking for a solution for a few hours, I'm pretty much out of
ideas. I'm not finding any reference to this error message aside from
the source code.
Do you have any idea what could cause this issue?
Thanks!
Regards,
Antoine
More information about the Freeradius-Users
mailing list