Issue with OCSP check

Antoine JOUBERT antoine at
Mon Aug 5 17:21:06 CEST 2019

Hi Alan,

So... updating Freeradius to 3.0.19 as suggested fixed the issue.

I have no clue why I didn't try that sooner.

Thanks a lot for your help!



On 05/08/2019 15:15, Alan DeKok wrote:
> On Aug 5, 2019, at 9:01 AM, Antoine JOUBERT via Freeradius-Users <freeradius-users at> wrote:
>> I had setup and got OCSP working with Freeradius in early 2016. However, I've recently noticed that it's not working anymore, as users with a revoked certificate are still able to connect to the network due to softfail being enabled.
>    That's largely what softfail means.
>> I'm using the Debian Stretch package of Freeradius :
>> freeradius -v
>> radiusd: FreeRADIUS Version 3.0.12, for host x86_64-pc-linux-gnu, built on Aug 10 2017 at 07:05:06
>> FreeRADIUS Version 3.0.12
>    Arg.  You may want to update to 3.0.19 using the packages on
>> Our company is using its own PKI, managed with EasyRSA. Every user certificate is signed directly with our CA certificate.
>> ...
>> (7) eap_tls: Starting OCSP Request
>> *(7) eap_tls: ERROR: Couldn't get issuer_cert for user*
>    The EAP-TLS session doesn't contain the issuer certificate.  Why?  It's not clear.  TLS and user supplicants are magic.  :(
>    Update to 3.0.19.  It will then set "request:TLS-OCSP-Cert-Valid = 2" if the OSCP checks were skipped.  You can check for that in policies.
>    Alan DeKok.

More information about the Freeradius-Users mailing list