Issues extending EAP-TLS to use OCSP
Przemysław Basa
pmb at langbit.pl
Fri Mar 7 14:47:09 UTC 2025
Hi everyone,
I have a working EAP-TLS setup using FreeRadius version 3.2.7. I'm trying to extend this setup to use OCSP but have not
been successful. My configuration is as follows:
ocsp {
enable = yes
override_cert_url = yes
url = "http://ocsp:8080/"
use_nonce = no
timeout = 1
softfail = no
}
I'm encountering the following error message:
(4) eap_tls: ocsp: Using responder URL "http://ocsp:8080/"
(4) eap_tls: ERROR: (TLS) ocsp: Couldn't verify OCSP basic response: error:13800076:OCSP routines::signer certificate
not found
(4) eap_tls: ERROR: (TLS) ocsp: Certificate has expired or been revoked
For debugging purposes, when I disable OCSP and instead use the following configuration:
verify {
tmpdir = /tmp/radiusd
client = "/usr/bin/openssl ocsp -issuer ${..ca_file} -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url
http://ocsp:8080/"
}
OpenSSL can communicate with the OCSP responder without issues (I adjusted the log formatting for better readability.):
(9) eap_tls: Verifying client certificate: /usr/bin/openssl ocsp -issuer /opt/etc/raddb/certs/ca.pem -cert
%{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/
(9) eap_tls: Executing: /usr/bin/openssl ocsp -issuer /opt/etc/raddb/certs/ca.pem -cert %{TLS-Client-Cert-Filename}
-no_nonce -text -url http://ocsp:8080/
(9) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
(9) eap_tls: --> /tmp/radiusd/radiusd.client.XXefFihM
Response verify OK
(9) eap_tls: Program returned code (0) and output 'OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: F15315BA08FFF6A2400A75BEB618F1E27B9A2869
Issuer Key Hash: 8CB54C92E9319D17C39400BBC7615AF888B15BB1
Serial Number: 6280251183391E42D0FC4BE701F4BA61B204EE9D
OCSP Response Data:
OCSP Response Status: successful (0x0)
This is a simple setup where the same ca.pem is used to sign both client certificates and OCSP responses. I have tried
different configurations, including enabling/disabling auto_chain, using both ca_file and ca_path, using only ca_file or
only ca_path, and switching cipher_server_preference. However, I have not found a configuration that resolves the
"signer certificate not found" error. I'm out of ideas.
My full TLS configuration is as follows:
tls-config tls-common {
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
ca_file = ${cadir}/ca.pem
ca_path = ${cadir}
auto_chain = yes
cipher_list = "DEFAULT"
cipher_server_preference = no
tls_min_version = "1.2"
tls_max_version = "1.2"
ecdh_curve = ""
cache {
enable = no
lifetime = 24 # hours
store {
Tunnel-Private-Group-Id
}
}
verify {
tmpdir = /tmp/radiusd
client = "/usr/bin/openssl ocsp -issuer ${..ca_file} -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url
http://ocsp:8080/"
}
ocsp {
enable = no
override_cert_url = yes
url = "http://ocsp:8080/"
use_nonce = no
timeout = 1
softfail = yes
}
}
I'd be grateful for any suggestions.
Best regards,
Przemyslaw Basa
More information about the Freeradius-Users
mailing list