Issues extending EAP-TLS to use OCSP

Craig Huckabee buzzsaw.code at gmail.com
Fri Mar 7 23:31:46 UTC 2025


If your OCSP certificate lacks the OCSP specific OID it will fail that basic verification process.

We submitted a patch for a “verifycert” Boolean that can disable that OID test and was accepted for the master branch.

I’ve got a version of that patch for 3.2.x that I’m happy to submit if the developers want it 




> On Mar 7, 2025, at 09:47, Przemysław Basa via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> Hi everyone,
> 
> I have a working EAP-TLS setup using FreeRadius version 3.2.7. I'm trying to extend this setup to use OCSP but have not been successful. My configuration is as follows:
> 
> ocsp {
>    enable = yes
>    override_cert_url = yes
>    url = "http://ocsp:8080/"
>    use_nonce = no
>    timeout = 1
>    softfail = no
> }
> 
> I'm encountering the following error message:
> 
> (4) eap_tls: ocsp: Using responder URL "http://ocsp:8080/"
> (4) eap_tls: ERROR: (TLS) ocsp: Couldn't verify OCSP basic response: error:13800076:OCSP routines::signer certificate not found
> (4) eap_tls: ERROR: (TLS) ocsp: Certificate has expired or been revoked
> 
> For debugging purposes, when I disable OCSP and instead use the following configuration:
> 
> verify {
>    tmpdir = /tmp/radiusd
>    client = "/usr/bin/openssl ocsp -issuer ${..ca_file} -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/"
> }
> 
> OpenSSL can communicate with the OCSP responder without issues (I adjusted the log formatting for better readability.):
> 
> (9) eap_tls: Verifying client certificate: /usr/bin/openssl ocsp -issuer /opt/etc/raddb/certs/ca.pem -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/
> (9) eap_tls: Executing: /usr/bin/openssl ocsp -issuer /opt/etc/raddb/certs/ca.pem -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/
> (9) eap_tls: EXPAND %{TLS-Client-Cert-Filename}
> (9) eap_tls:    --> /tmp/radiusd/radiusd.client.XXefFihM
> Response verify OK
> (9) eap_tls: Program returned code (0) and output 'OCSP Request Data:
>    Version: 1 (0x0)
>    Requestor List:
>        Certificate ID:
>            Hash Algorithm: sha1
>            Issuer Name Hash: F15315BA08FFF6A2400A75BEB618F1E27B9A2869
>            Issuer Key Hash: 8CB54C92E9319D17C39400BBC7615AF888B15BB1
>            Serial Number: 6280251183391E42D0FC4BE701F4BA61B204EE9D
> OCSP Response Data:
>    OCSP Response Status: successful (0x0)
> 
> This is a simple setup where the same ca.pem is used to sign both client certificates and OCSP responses. I have tried different configurations, including enabling/disabling auto_chain, using both ca_file and ca_path, using only ca_file or only ca_path, and switching cipher_server_preference. However, I have not found a configuration that resolves the "signer certificate not found" error. I'm out of ideas.
> 
> My full TLS configuration is as follows:
> 
> tls-config tls-common {
>    private_key_password = whatever
>    private_key_file = ${certdir}/server.pem
>    certificate_file = ${certdir}/server.pem
>    ca_file = ${cadir}/ca.pem
>    ca_path = ${cadir}
>    auto_chain = yes
>    cipher_list = "DEFAULT"
>    cipher_server_preference = no
>    tls_min_version = "1.2"
>    tls_max_version = "1.2"
>    ecdh_curve = ""
>    cache {
>        enable = no
>        lifetime = 24 # hours
>        store {
>            Tunnel-Private-Group-Id
>        }
>    }
>    verify {
>        tmpdir = /tmp/radiusd
>        client = "/usr/bin/openssl ocsp -issuer ${..ca_file} -cert %{TLS-Client-Cert-Filename} -no_nonce -text -url http://ocsp:8080/"
>    }
>    ocsp {
>        enable = no
>        override_cert_url = yes
>        url = "http://ocsp:8080/"
>        use_nonce = no
>        timeout = 1
>        softfail = yes
>    }
> }
> 
> I'd be grateful for any suggestions.
> 
> Best regards,
> Przemyslaw Basa
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list