Freeradius v3.0.19 prioritize OCSP in checking client certificate rather than crl.

Alan DeKok aland at
Wed Sep 4 12:46:13 CEST 2019

On Sep 3, 2019, at 11:11 PM, Dennis Diamsay <dennis.diamsay at> wrote:
> Using Freeradius to authenticate client certificate using EAP, I noticed that CRL checking is prioritized than OCSP.
> If check_crl is disable in the eap configuration, that is the only time the OCSP checking will take place.
> Can someone help me on how to configure freeradius to prioritize OCSP in checking client certificate?

  Change the source.  See src/main/tls.c, and the function cbtls_verify()

  The main issue is that CRL checking is done in OpenSSL *before* that function is called.  So we can't really control the order of operations.

  Alan DeKok.

More information about the Freeradius-Users mailing list