OCSP Response Signed by other CA
mike at dibella.net
Thu Oct 31 19:09:49 CET 2019
In testing my OCSP responder configuration I've found that the following openssl command:
openssl ocsp -issuer client_cer_root.cer -cert client.cer -VAfile ocsp_signer.cer -url http://ocsp.responder.net/ocsp
Response verify OK
This Update: Oct 31 11:43:47 2019 GMT
Next Update: Nov 2 00:03:47 2019 GMT
I see that there is a client keyword in the verify section of the eap configuration file. I'm wondering if I can I substitute this command for the default openssl verify command prototyped in the file?
In my testing, it looks like openssl returns exit 0 for both verified and responder errors, so I'm wondering how freeradius parses the result of the command.
From: Mike DiBella
Sent: Wednesday, October 30, 2019 3:08 PM
To: 'freeradius-users at lists.freeradius.org' <freeradius-users at lists.freeradius.org>
Subject: OCSP Response Signed by other CA
I'm attempting to add OCSP certificate verification to EAP, but my responder hosts multiple CAs and signs the responses with a cert common to all. I think freeradius is assuming that the signer of the OCSP response will be the same as the signer of the client certificate, and I can't see an option to override this behavior. I've already tried concatenating the OCSP signer to the client trust certificate file, but freeradius still fails validation with "Error: rlm_eap: SSL error error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted". Any ideas?
More information about the Freeradius-Users