(RADIATOR) CRL reloading is not working
mikem at open.com.au
Thu Jan 31 17:35:47 CST 2008
How did you test the reloading in the second case? Did you create a new CRL,
or just touch the CRL file without changing its contents?
On Thursday 31 January 2008 22:50, Jan Tomasek wrote:
> to complete my EAP-TLS evaluation I today tested CRL suport of Radiator.
> When using:
> EAPTLS_CAPath /etc/ssl
> Radiator correctly uses <issuer-subject-hash>.r0 in EAPTLS_CAPath but
> wasn't able to detect when CRL was changed on disk. I'm not sure if
> blame Net::SSLeay (1.30-1) or even OpenSSL (0.9.8c-4etch1). Radiator
> continue use old CRL until get restarted.
> When I tested using:
> EAPTLS_CRLFile /etc/ssl/380fec8f.r0
> Radiator correctly detects change of file on disk but CRL is not being
> reloaded. I studied method reloadCrls and slightly modified it:
> > $self->log($main::LOG_DEBUG,
> > &Net::SSLeay::X509_STORE_add_crl($cert_store, $crl)); my $err =
> > &Net::SSLeay::ERR_get_error();
> > $self->log($main::LOG_DEBUG, $err);
> > $self->log($main::LOG_DEBUG, &Net::SSLeay::ERR_error_string($err));
> debug output:
> > Thu Jan 31 13:35:10 2008: DEBUG: Handling request with Handler
> > 'User-Name=/^TLS\+.+ at .+/' Thu Jan 31 13:35:10 2008: DEBUG: Deleting
> > session for TLS+semik at cesnet.cz, 127.0.0.1, Thu Jan 31 13:35:10 2008:
> > DEBUG: Handling with Radius::AuthFILE: Thu Jan 31 13:35:10 2008: DEBUG:
> > Handling with EAP: code 2, 0, 24, 1 Thu Jan 31 13:35:10 2008: DEBUG:
> > Response type 1
> > Thu Jan 31 13:35:10 2008: DEBUG: (Re)loading CRL file
> > '/etc/ssl/380fec8f.r0' Thu Jan 31 13:35:10 2008: DEBUG: 0
> > Thu Jan 31 13:35:10 2008: DEBUG: 185061477
> > Thu Jan 31 13:35:10 2008: DEBUG: error:0B07D065:x509 certificate
> > routines:X509_STORE_add_crl:cert already in hash table
> I'm missing methods for replacing CRL inside X509_STORE in
> openssl/x509_vfy.h. Maybe it will require rebuild for whole context.
> Please, can be both problems fixed? We are not sure which CRL checking
> method we will finally deploy. It would be nice to have both available.
> Jan Tomasek aka Semik
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator