[RADIATOR] OCSP validation
Stefan Paetow (OpenSource)
oss at eons.net
Wed Aug 16 10:31:09 UTC 2023
Hi Heikki,
This is in the log (I'm running in DEBUG, if you need TRACE, please let me
know):
599943: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamServer: New connection
from [IP_ADDRESS] port 37591
602499: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Stream connected to
[IP_ADDRESS] ([IP_ADDRESS] port 37591)
602877: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS sessionInit for
[IP_ADDRESS]
604329: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS receive:
605208: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: before SSL
initialization
605518: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: before SSL
initialization
605824: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: before SSL
initialization
606136: DEBUG: ServerRADSEC (EDUROAM_RADSEC) SSL_accept result: -1,
reason/error: 'SSL_ERROR_WANT_READ', state: 'before SSL initialization'
606597: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS Server Started for
[IP_ADDRESS] ([IP_ADDRESS] port 37591)
606885: DEBUG: ServerRADSEC (EDUROAM_RADSEC) New StreamServer Connection
created for [IP_ADDRESS] port 37591
607573: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS receive: [...]
607870: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: before SSL
initialization
608319: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS read
client hello
608581: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write
server hello
609117: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write
certificate
626293: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write key
exchange
626717: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write
certificate request
626958: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write
server done
627333: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write
server done
627628: DEBUG: ServerRADSEC (EDUROAM_RADSEC) SSL_accept result: -1,
reason/error: 'SSL_ERROR_WANT_READ', state: 'SSLv3/TLS write server done'
627994: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS send: [...]
636950: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS receive: [...]
637410: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write
server done
638238: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Verifying certificate
presented by peer [IP_ADDRESS]
638609: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Certificate Issuer Name is
/DC=org/DC=edupki/CN=eduPKI CA G 01
638884: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Certificate Subject Name is
[redacted]
639147: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Certificate Serial Number is
[redacted]
639804: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS sending OCSP request to
URI 'http://ocsp.edupki.org/OCSP-Server/OCSP' for certificate:
3045300906052b0e03021a05000414e0edac4bf41cfcbce33a156b554e92fac28f0c5c0414d2f223bd4aa17fcfa05884ebfce65b08b3cdb4e4020c2427658a363cc6c6452df2e2
034756: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS OCSP response received for
certificate:
3045300906052b0e03021a05000414e0edac4bf41cfcbce33a156b554e92fac28f0c5c0414d2f223bd4aa17fcfa05884ebfce65b08b3cdb4e4020c2427658a363cc6c6452df2e2
036004: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS OCSP response verification
'3045300906052b0e03021a05000414e0edac4bf41cfcbce33a156b554e92fac28f0c5c0414d2f223bd4aa17fcfa05884ebfce65b08b3cdb4e4020c2427658a363cc6c6452df2e2'
failed: 0
036330: WARNING: ServerRADSEC (EDUROAM_RADSEC) Verifying OCSP response
failed for Subject '[redacted]' presented by peer [IP_ADDRESS]
036681: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: error
036944: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: error
037213: DEBUG: ServerRADSEC (EDUROAM_RADSEC) SSL_accept result: -1,
reason/error: 'SSL_ERROR_SSL', state: 'error'
037592: ERR: ServerRADSEC (EDUROAM_RADSEC) SSL_accept Certificate
verification error ([IP_ADDRESS] port 37591): verify error: application
verification failure, error:27069065:OCSP
routines:OCSP_basic_verify:certificate verify error
00000000 error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed
037852: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Stream disconnected from
[IP_ADDRESS] ([IP_ADDRESS] port 37591)
I've redacted the source IP and the subject. I look at the 'response
verification' line (036004) where the result code is 0, which usually means
it was successful.
And yeah, like you say, you use APIs, and I considered whether adding the
CA certificate into the trusted store on the machine would make a
difference, but it doesn't appear so. Is there possibly an assumption
within Net::SSLeay that if you don't specify a certificate somehow to
verify the response with that the trusted store is used? :-/
I will note though that the response does not include a nonce (if the
request contains one), although that's not a requirement... This is the
case when I use 'openssl verify', so I assume the same applies to the API.
Kind regards
Stefan
On Wed, 16 Aug 2023 at 10:02, Heikki Vatiainen via radiator <
radiator at lists.open.com.au> wrote:
> On 15.8.2023 23.53, Stefan Paetow (OpenSource) via radiator wrote:
>
> > I suppose I should also provide the details I have in the Radiator
> > configuration:
> >
> > Protocol tcp
> > UseTLS
> > TLS_Protocols TLSv1.2
> > Secret radsec
> > TLS_CAFile %D/cert/roaming-eduPKI-CA.crt
> > TLS_CertificateFile %D/cert/hostname-eduPKI.pem
> > TLS_CertificateType PEM
> > TLS_PrivateKeyFile %D/cert/hostname-key.pem
> > TLS_PolicyOID [redacted]
> > TLS_RequireClientCert
> > TLS_Ciphers [redacted]
> > TLS_OCSPCheck
> > TLS_OCSPStapling
> > # TLS_CRLCheck
> > # TLS_CRLFile %D/cert/cacrl.pem
> >
> > I would have thought that the TLS_CAFile value would be used by -issuer
> > and -CAfile. I suspect by the error message displayed, that the -CAfile
> > value is not being supplied (and the CA assumed to be in the default CA
> > directory)...
>
> Radiator uses OpenSSL APIs via Net::SSLeay for OCSP processing. It
> doesn't call 'openssl ocsp ...' to do this.
>
> You'd need to have Perl LWP::UserAgent module installed for talking to
> the OCSP responder (server), that's one external dependency that is
> required.
>
> > As before, thoughts are much appreciated :-)
>
> If you send me the logs, I can take a further look. It should work even
> with the latest OpenSSL 3.1.2, tested with the demo certificates that
> come with Radiator, but it's hard to say much more without seeing the logs.
>
> Thanks,
> Heikki
>
> > Stefan
> >
> >
> >
> >
> >
> >
> > On Tue, 15 Aug 2023 at 21:32, Stefan Paetow (OpenSource) <oss at eons.net
> > <mailto:oss at eons.net>> wrote:
> >
> > Hi there,
> >
> > So, I've tried to use OCSP validation with the certificates issued
> > by eduPKI (so this covers the majority of eduroam national
> > operators and some identity providers). Radiator didn't like it and
> > kicked up failures.
> >
> > I then tried manually verifying and that succeeds, using this
> > command-line:
> >
> > openssl ocsp -issuer /etc/radiator/cert/roaming-eduPKI-CA.crt -cert
> > /etc/radiator/cert/hostname-eduPKI.pem -CAfile
> > /etc/radiator/cert/roaming-eduPKI-CA.crt -url
> > http://ocsp.edupki.org/OCSP-Server/OCSP
> > <http://ocsp.edupki.org/OCSP-Server/OCSP>
> >
> > The URL is obviously retrieved from the certificate, but it appears
> > there's something missing when Radiator tries to do an OCSP verify.
> >
> > Thoughts?
> >
> > With kind regards
> >
> > Stefan
> >
> >
> > _______________________________________________
> > radiator mailing list
> > radiator at lists.open.com.au
> > https://lists.open.com.au/mailman/listinfo/radiator
>
> --
> Heikki Vatiainen
> OSC, makers of Radiator
> Visit radiatorsoftware.com for Radiator AAA server software
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20230816/c3f7d6d0/attachment-0001.html>
More information about the radiator
mailing list