[EXT] Re: Trouble with OCSP
Orion Poplawski
orion at nwra.com
Mon Dec 9 16:20:01 UTC 2024
On 12/4/24 15:35, Brian Julin wrote:
> Orion Poplawski <orion at nwra.com>
>> It appears that if ca_file is specified, ca_path is not used. It
>> doesn't seem like this is explicitly stated in the docs. Is this expected?
>
> That's the general behavior of most applications that directly use OpenSSL libraries, at least the ones I have seen. It's usually file of path, one or the other, not both.
>
> The behavior like comes from OpenSSL API, so it would have seemed obvious to someone who uses that library often when they were writing the docs, but yes it might be useful to elaborate in the documentation, and maybe a link to some generic OpenSSL-hosted source that explains their basic PKI directory schemes.
Hmm, I'm not entirely sure this is true for the FreeRADIUS case - it calls:
/* Load the CAs we trust */
if (conf->ca_file || conf->ca_path)
if (!X509_STORE_load_locations(store, conf->ca_file,
conf->ca_path)) {
tls_error_log(NULL, "Error reading Trusted root CA
list \"%s\"", conf->ca_file);
X509_STORE_free(store);
return NULL;
}
And according to https://docs.openssl.org/3.0/man3/X509_STORE_add_cert/ :
X509_STORE_load_locations_ex() combines X509_STORE_load_file_ex() and
X509_STORE_load_path() for a given file and/or directory path. It is permitted
to specify just a file, just a directory, or both paths.
--
Orion Poplawski
he/him/his - surely the least important thing about me
Manager of IT Systems 720-772-5637
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion at nwra.com
Boulder, CO 80301 https://www.nwra.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4087 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20241209/9edb3772/attachment.bin>
More information about the Freeradius-Users
mailing list