(RADIATOR) CRL reloading is not working

Jan Tomasek jan at tomasek.cz
Thu Jan 31 06:50:59 CST 2008 

Hi,

to complete my EAP-TLS evaluation I today tested CRL suport of Radiator.

When using:
	EAPTLS_CAPath	/etc/ssl
	EAPTLS_CRLCheck
Radiator correctly uses <issuer-subject-hash>.r0 in EAPTLS_CAPath but 
wasn't able to detect when CRL was changed on disk. I'm not sure if 
blame Net::SSLeay (1.30-1) or even OpenSSL (0.9.8c-4etch1). Radiator 
continue use old CRL until get restarted.


When I tested using:
	EAPTLS_CRLCheck
	EAPTLS_CRLFile		/etc/ssl/380fec8f.r0
Radiator correctly detects change of file on disk but CRL is not being 
reloaded. I studied method reloadCrls and slightly modified it:

> $self->log($main::LOG_DEBUG, &Net::SSLeay::X509_STORE_add_crl($cert_store, $crl));
> my $err = &Net::SSLeay::ERR_get_error();
> $self->log($main::LOG_DEBUG, $err);
> $self->log($main::LOG_DEBUG, &Net::SSLeay::ERR_error_string($err));

debug output:

> Thu Jan 31 13:35:10 2008: DEBUG: Handling request with Handler 'User-Name=/^TLS\+.+ at .+/'
> Thu Jan 31 13:35:10 2008: DEBUG:  Deleting session for TLS+semik at cesnet.cz, 127.0.0.1, 
> Thu Jan 31 13:35:10 2008: DEBUG: Handling with Radius::AuthFILE: 
> Thu Jan 31 13:35:10 2008: DEBUG: Handling with EAP: code 2, 0, 24, 1
> Thu Jan 31 13:35:10 2008: DEBUG: Response type 1
> Thu Jan 31 13:35:10 2008: DEBUG: (Re)loading CRL file '/etc/ssl/380fec8f.r0'
> Thu Jan 31 13:35:10 2008: DEBUG: 0
> Thu Jan 31 13:35:10 2008: DEBUG: 185061477
> Thu Jan 31 13:35:10 2008: DEBUG: error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table

I'm missing methods for replacing CRL inside X509_STORE in 
openssl/x509_vfy.h. Maybe it will require rebuild for whole context.


Please, can be both problems fixed? We are not sure which CRL checking 
method we will finally deploy. It would be nice to have both available.

Thanks
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list