Issues extending EAP-TLS to use OCSP

Przemysław Basa pmb at langbit.pl
Fri Mar 7 14:47:09 UTC 2025 

Hi everyone,

I have a working EAP-TLS setup using FreeRadius version 3.2.7. I'm trying to extend this setup to use OCSP but have not 
been successful. My configuration is as follows:

ocsp {
     enable = yes
     override_cert_url = yes
     url = "http://ocsp:8080/"
     use_nonce = no
     timeout = 1
     softfail = no
}

I'm encountering the following error message:

(4) eap_tls: ocsp: Using responder URL "http://ocsp:8080/"
(4) eap_tls: ERROR: (TLS) ocsp: Couldn't verify OCSP basic response: error:13800076:OCSP routines::signer certificate 
not found
(4) eap_tls: ERROR: (TLS) ocsp: Certificate has expired or been revoked

For debugging purposes, when I disable OCSP and instead use the following configuration:

verify {
     tmpdir = /tmp/radiusd
     client = "/usr/bin/openssl ocsp -issuer ${..ca_file} -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url 
http://ocsp:8080/"
}

OpenSSL can communicate with the OCSP responder without issues (I adjusted the log formatting for better readability.):

(9) eap_tls: Verifying client certificate: /usr/bin/openssl ocsp -issuer /opt/etc/raddb/certs/ca.pem -cert 
%{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/
(9) eap_tls: Executing: /usr/bin/openssl ocsp -issuer /opt/etc/raddb/certs/ca.pem -cert %{TLS-Client-Cert-Filename} 
-no_nonce -text -url http://ocsp:8080/
(9) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(9) eap_tls:    --> /tmp/radiusd/radiusd.client.XXefFihM
Response verify OK
(9) eap_tls: Program returned code (0) and output 'OCSP Request Data:
     Version: 1 (0x0)
     Requestor List:
         Certificate ID:
             Hash Algorithm: sha1
             Issuer Name Hash: F15315BA08FFF6A2400A75BEB618F1E27B9A2869
             Issuer Key Hash: 8CB54C92E9319D17C39400BBC7615AF888B15BB1
             Serial Number: 6280251183391E42D0FC4BE701F4BA61B204EE9D
OCSP Response Data:
     OCSP Response Status: successful (0x0)

This is a simple setup where the same ca.pem is used to sign both client certificates and OCSP responses. I have tried 
different configurations, including enabling/disabling auto_chain, using both ca_file and ca_path, using only ca_file or 
only ca_path, and switching cipher_server_preference. However, I have not found a configuration that resolves the 
"signer certificate not found" error. I'm out of ideas.

My full TLS configuration is as follows:

tls-config tls-common {
     private_key_password = whatever
     private_key_file = ${certdir}/server.pem
     certificate_file = ${certdir}/server.pem
     ca_file = ${cadir}/ca.pem
     ca_path = ${cadir}
     auto_chain = yes
     cipher_list = "DEFAULT"
     cipher_server_preference = no
     tls_min_version = "1.2"
     tls_max_version = "1.2"
     ecdh_curve = ""
     cache {
         enable = no
         lifetime = 24 # hours
         store {
             Tunnel-Private-Group-Id
         }
     }
     verify {
         tmpdir = /tmp/radiusd
         client = "/usr/bin/openssl ocsp -issuer ${..ca_file} -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url 
http://ocsp:8080/"
     }
     ocsp {
         enable = no
         override_cert_url = yes
         url = "http://ocsp:8080/"
         use_nonce = no
         timeout = 1
         softfail = yes
     }
}

I'd be grateful for any suggestions.

Best regards,
Przemyslaw Basa

More information about the Freeradius-Users mailing list