Freeradius v3.0.19 prioritize OCSP in checking client certificate rather than crl.
Alan DeKok
aland at deployingradius.com
Wed Sep 4 12:46:13 CEST 2019
On Sep 3, 2019, at 11:11 PM, Dennis Diamsay <dennis.diamsay at gmail.com> wrote:
> Using Freeradius to authenticate client certificate using EAP, I noticed that CRL checking is prioritized than OCSP.
>
> If check_crl is disable in the eap configuration, that is the only time the OCSP checking will take place.
>
> Can someone help me on how to configure freeradius to prioritize OCSP in checking client certificate?
Change the source. See src/main/tls.c, and the function cbtls_verify()
The main issue is that CRL checking is done in OpenSSL *before* that function is called. So we can't really control the order of operations.
Alan DeKok.
More information about the Freeradius-Users
mailing list