OCSP Response Signed by other CA

Alan DeKok aland at deployingradius.com
Thu Oct 31 19:38:16 CET 2019

> On Oct 31, 2019, at 2:09 PM, Mike DiBella <mike at dibella.net> wrote:
> In testing my OCSP responder configuration I've found that the following openssl command:
> openssl ocsp -issuer client_cer_root.cer -cert client.cer -VAfile ocsp_signer.cer -url http://ocsp.responder.net/ocsp
> returns:
> Response verify OK
> client.cer: good
>        This Update: Oct 31 11:43:47 2019 GMT
>        Next Update: Nov  2 00:03:47 2019 GMT
> I see that there is a client keyword in the verify section of the eap configuration file.   I'm wondering if I can I substitute this command for the default openssl verify command prototyped in the file?

  Yes, that should mostly work.  You should use %{TLS-Client-Cert-Filename} instead of a hard-coded filename though.  The server will write the client certificate to a temporary file, and then clean it up after OSCP tests are done.

> In my testing, it looks like openssl returns exit 0 for both verified and responder errors, so I'm wondering how freeradius parses the result of the command.

  FreeRADIUS looks for the command to succeed / fail.  If the OSCP responder is down, OpenSSL may do various magic.  :(

  The solution is to ensure that critical pieces of infrastructure stay up.

  Alan DeKok.

More information about the Freeradius-Users mailing list