[RADIATOR] CRLs not working with EAP TLS
Markus Moeller
huaraz at moeller.plus.com
Wed Mar 26 17:01:04 CDT 2014
>-----Original Message-----
>From: Heikki Vatiainen
>Sent: Wednesday, March 26, 2014 9:09 PM
>To: radiator at open.com.au
>Subject: Re: [RADIATOR] CRLs not working with EAP TLS
>
>On 03/24/2014 11:59 PM, Markus Moeller wrote:
>
>> I have setup EAP-TLS for wired 802.1x using CRLCheck, but I noticed that
>> despite having the certificate serial number in the CRL Radiator still
>> accepts the presented certificate ( I also can see Radiator re-read the
>> CRL file) .
>
>Hello Markus,
>
Hi Heikki
>I did some testing, compiled the Net-SSLeay 1.58 and OpenSSL 1.0.1e. I
>see the same as you: the file change is noticed by Radiator and the file
>is loaded. The changes, however, do not have any effect.
>
>If I just touch the file without changing it, the libs give the 'cert
>already in hash table' error.
>
Thank you for testing. That is not good news. I was intending to use
wired 802.1x and a restart means switches may need to failover to the
secondary Radius server especially if you want to do frequent CRL check and
may disrupt clients when the regular EAP reauth happens. Do you or other on
the list have experience with optimised EAP reauth switch settings ?
>> I was trying to verify that the serial numbers match using
>> the EAPTLS_CertificateVerifyHook function but can’t extract the
>> certificate serial number. I tried with my $ai =
>> &Net::SSLeay::X509_get_serialNumber($x509); which I read does not give
>> the serial number but an ASN.1 encoded string. Does anybody have a tool
>> which converts it into a serial number which I can compare to the CRL
>> serial number ?
>
>Are thinking of this?
>
>my $ai = Net::SSLeay::X509_get_serialNumber($x509); \
>my $rv = Net::SSLeay::ASN1_INTEGER_get($ai); \
>print "ai: $ai rv: $rv\n"; \
>
yes something like that. Is it Net::SSLeay or &Net::SSLeay ?
I think I need to use P_ASN1_INTEGER-get_hex($ai).
Did you try this too ? In my test I got for $ai 0 which doesn't seem to be
correct.
>> Does anybody has CRL working for EAP TLS ?
>
>It does look like a restart is needed when the CRL is refreshed. The
>verify against CRL seems to work, but refreshing the CRL without restart
>looks problematic.
>
This is then an underlying openssl issue isn't it ? Do you know if OCSP
will be available instead ?
>Thanks,
>Heikki
>
Thank you
Markus
>--
>Heikki Vatiainen <hvn at open.com.au>
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>NetWare etc.
>_______________________________________________
>radiator mailing list
>radiator at open.com.au
>http://www.open.com.au/mailman/listinfo/radiator
>
More information about the radiator
mailing list