Check certificate revocation when using LDAP/TLS
Benjamin Bouilhac
bouilhac.benjamin at outlook.fr
Wed Mar 8 14:43:01 UTC 2023
Thanks for the fast feedback Alan ! I'll look more into that
________________________________
De : Freeradius-Users <freeradius-users-bounces+bouilhac.benjamin=outlook.fr at lists.freeradius.org> de la part de Alan DeKok <aland at deployingradius.com>
Envoyé : mercredi 8 mars 2023 14:38
À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Objet : Re: Check certificate revocation when using LDAP/TLS
On Mar 8, 2023, at 8:30 AM, Benjamin Bouilhac <bouilhac.benjamin at outlook.fr> wrote:
> My FreeRADIUS is talking to an LDAP directory (OpenLDAP) over TLS and I need to check the revocation status of the LDAP server's certificate using a CRL.
That is really a property of the libldap library and its APIs. That library handles all of the TLS magic for the LDAP protocol.
The FreeRADIUS "tls" configuration just maps the configuration items to libldap API parameters.
> I tried adding check_crl in the tls section (of the LDAP module) but to no avail (see debug output below : check_crl is ignored when parsing the configuration) :
Yes. If it's not documented as working, it doesn't work.
A little google-fu shows this:
https://stackoverflow.com/questions/44409029/openldap-enabling-crl-check-for-ldap-tls-connections
So it is possible to do, it just requires more code in rlm_ldap. Patches are always welcome...
> I know checking the revocation status of EAP client's certificate is well supported (in mods-available/eap) but I was wondering whether checking the revocation status of "backend" servers' certificates was as well and if so what I did wrong.
You did nothing wrong. It's not just implemented.
For EAP and RADIUS/TLS, FreeRADIUS implements EAP, RADIUS. and the interaction with TLS. For LDAP, we just hand everything off to OpenLDAP, and it does the work.
So if we implement some TLS checks for EAP, they pretty much work for free in RADIUS/TLS. And we can't leverage that work for libldap, because the APIs are completely different.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list