[RADIATOR] OCSP validation

Heikki Vatiainen hvn at open.com.au
Wed Aug 16 09:02:21 UTC 2023 

On 15.8.2023 23.53, Stefan Paetow (OpenSource) via radiator wrote:

> I suppose I should also provide the details I have in the Radiator 
> configuration:
> 
>          Protocol tcp
>          UseTLS
>          TLS_Protocols TLSv1.2
>          Secret radsec
>          TLS_CAFile %D/cert/roaming-eduPKI-CA.crt
>          TLS_CertificateFile %D/cert/hostname-eduPKI.pem
>          TLS_CertificateType PEM
>          TLS_PrivateKeyFile %D/cert/hostname-key.pem
>          TLS_PolicyOID [redacted]
>          TLS_RequireClientCert
>          TLS_Ciphers [redacted]
>          TLS_OCSPCheck
>          TLS_OCSPStapling
> #        TLS_CRLCheck
> #        TLS_CRLFile %D/cert/cacrl.pem
> 
> I would have thought that the TLS_CAFile value would be used by -issuer 
> and -CAfile. I suspect by the error message displayed, that the -CAfile 
> value is not being supplied (and the CA assumed to be in the default CA 
> directory)...

Radiator uses OpenSSL APIs via Net::SSLeay for OCSP processing. It 
doesn't call 'openssl ocsp ...' to do this.

You'd need to have Perl LWP::UserAgent module installed for talking to 
the OCSP responder (server), that's one external dependency that is 
required.

> As before, thoughts are much appreciated :-)

If you send me the logs, I can take a further look. It should work even 
with the latest OpenSSL 3.1.2, tested with the demo certificates that 
come with Radiator, but it's hard to say much more without seeing the logs.

Thanks,
Heikki

> Stefan
> 
> 
> 
> 
> 
> 
> On Tue, 15 Aug 2023 at 21:32, Stefan Paetow (OpenSource) <oss at eons.net 
> <mailto:oss at eons.net>> wrote:
> 
>     Hi there,
> 
>     So, I've tried to use OCSP validation with the certificates issued
>     by eduPKI (so this covers the  majority of eduroam national
>     operators and some identity providers). Radiator didn't like it and
>     kicked up failures.
> 
>     I then tried manually verifying and that succeeds, using this
>     command-line:
> 
>     openssl ocsp -issuer /etc/radiator/cert/roaming-eduPKI-CA.crt -cert
>     /etc/radiator/cert/hostname-eduPKI.pem -CAfile
>       /etc/radiator/cert/roaming-eduPKI-CA.crt -url
>     http://ocsp.edupki.org/OCSP-Server/OCSP
>     <http://ocsp.edupki.org/OCSP-Server/OCSP>
> 
>     The URL is obviously retrieved from the certificate, but it appears
>     there's something missing when Radiator tries to do an OCSP verify.
> 
>     Thoughts?
> 
>     With kind regards
> 
>     Stefan
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator

-- 
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software

More information about the radiator mailing list