Issues extending EAP-TLS to use OCSP
Craig Huckabee
buzzsaw.code at gmail.com
Fri Mar 7 23:31:46 UTC 2025
If your OCSP certificate lacks the OCSP specific OID it will fail that basic verification process.
We submitted a patch for a “verifycert” Boolean that can disable that OID test and was accepted for the master branch.
I’ve got a version of that patch for 3.2.x that I’m happy to submit if the developers want it
> On Mar 7, 2025, at 09:47, Przemysław Basa via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> Hi everyone,
>
> I have a working EAP-TLS setup using FreeRadius version 3.2.7. I'm trying to extend this setup to use OCSP but have not been successful. My configuration is as follows:
>
> ocsp {
> enable = yes
> override_cert_url = yes
> url = "http://ocsp:8080/"
> use_nonce = no
> timeout = 1
> softfail = no
> }
>
> I'm encountering the following error message:
>
> (4) eap_tls: ocsp: Using responder URL "http://ocsp:8080/"
> (4) eap_tls: ERROR: (TLS) ocsp: Couldn't verify OCSP basic response: error:13800076:OCSP routines::signer certificate not found
> (4) eap_tls: ERROR: (TLS) ocsp: Certificate has expired or been revoked
>
> For debugging purposes, when I disable OCSP and instead use the following configuration:
>
> verify {
> tmpdir = /tmp/radiusd
> client = "/usr/bin/openssl ocsp -issuer ${..ca_file} -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/"
> }
>
> OpenSSL can communicate with the OCSP responder without issues (I adjusted the log formatting for better readability.):
>
> (9) eap_tls: Verifying client certificate: /usr/bin/openssl ocsp -issuer /opt/etc/raddb/certs/ca.pem -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/
> (9) eap_tls: Executing: /usr/bin/openssl ocsp -issuer /opt/etc/raddb/certs/ca.pem -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/
> (9) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
> (9) eap_tls: --> /tmp/radiusd/radiusd.client.XXefFihM
> Response verify OK
> (9) eap_tls: Program returned code (0) and output 'OCSP Request Data:
> Version: 1 (0x0)
> Requestor List:
> Certificate ID:
> Hash Algorithm: sha1
> Issuer Name Hash: F15315BA08FFF6A2400A75BEB618F1E27B9A2869
> Issuer Key Hash: 8CB54C92E9319D17C39400BBC7615AF888B15BB1
> Serial Number: 6280251183391E42D0FC4BE701F4BA61B204EE9D
> OCSP Response Data:
> OCSP Response Status: successful (0x0)
>
> This is a simple setup where the same ca.pem is used to sign both client certificates and OCSP responses. I have tried different configurations, including enabling/disabling auto_chain, using both ca_file and ca_path, using only ca_file or only ca_path, and switching cipher_server_preference. However, I have not found a configuration that resolves the "signer certificate not found" error. I'm out of ideas.
>
> My full TLS configuration is as follows:
>
> tls-config tls-common {
> private_key_password = whatever
> private_key_file = ${certdir}/server.pem
> certificate_file = ${certdir}/server.pem
> ca_file = ${cadir}/ca.pem
> ca_path = ${cadir}
> auto_chain = yes
> cipher_list = "DEFAULT"
> cipher_server_preference = no
> tls_min_version = "1.2"
> tls_max_version = "1.2"
> ecdh_curve = ""
> cache {
> enable = no
> lifetime = 24 # hours
> store {
> Tunnel-Private-Group-Id
> }
> }
> verify {
> tmpdir = /tmp/radiusd
> client = "/usr/bin/openssl ocsp -issuer ${..ca_file} -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/"
> }
> ocsp {
> enable = no
> override_cert_url = yes
> url = "http://ocsp:8080/"
> use_nonce = no
> timeout = 1
> softfail = yes
> }
> }
>
> I'd be grateful for any suggestions.
>
> Best regards,
> Przemyslaw Basa
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list