(RADIATOR) CRL reloading is not working

Mike McCauley mikem at open.com.au
Thu Jan 31 17:35:47 CST 2008 

Hello Jan,

How did you test the reloading in the second case? Did you create a new CRL, 
or just touch the CRL file without changing its contents?

Cheers.

On Thursday 31 January 2008 22:50, Jan Tomasek wrote:
> Hi,
>
> to complete my EAP-TLS evaluation I today tested CRL suport of Radiator.
>
> When using:
> 	EAPTLS_CAPath	/etc/ssl
> 	EAPTLS_CRLCheck
> Radiator correctly uses <issuer-subject-hash>.r0 in EAPTLS_CAPath but
> wasn't able to detect when CRL was changed on disk. I'm not sure if
> blame Net::SSLeay (1.30-1) or even OpenSSL (0.9.8c-4etch1). Radiator
> continue use old CRL until get restarted.
>
>
> When I tested using:
> 	EAPTLS_CRLCheck
> 	EAPTLS_CRLFile		/etc/ssl/380fec8f.r0
> Radiator correctly detects change of file on disk but CRL is not being
>
> reloaded. I studied method reloadCrls and slightly modified it:
> > $self->log($main::LOG_DEBUG,
> > &Net::SSLeay::X509_STORE_add_crl($cert_store, $crl)); my $err =
> > &Net::SSLeay::ERR_get_error();
> > $self->log($main::LOG_DEBUG, $err);
> > $self->log($main::LOG_DEBUG, &Net::SSLeay::ERR_error_string($err));
>
> debug output:
> > Thu Jan 31 13:35:10 2008: DEBUG: Handling request with Handler
> > 'User-Name=/^TLS\+.+ at .+/' Thu Jan 31 13:35:10 2008: DEBUG:  Deleting
> > session for TLS+semik at cesnet.cz, 127.0.0.1, Thu Jan 31 13:35:10 2008:
> > DEBUG: Handling with Radius::AuthFILE: Thu Jan 31 13:35:10 2008: DEBUG:
> > Handling with EAP: code 2, 0, 24, 1 Thu Jan 31 13:35:10 2008: DEBUG:
> > Response type 1
> > Thu Jan 31 13:35:10 2008: DEBUG: (Re)loading CRL file
> > '/etc/ssl/380fec8f.r0' Thu Jan 31 13:35:10 2008: DEBUG: 0
> > Thu Jan 31 13:35:10 2008: DEBUG: 185061477
> > Thu Jan 31 13:35:10 2008: DEBUG: error:0B07D065:x509 certificate
> > routines:X509_STORE_add_crl:cert already in hash table
>
> I'm missing methods for replacing CRL inside X509_STORE in
> openssl/x509_vfy.h. Maybe it will require rebuild for whole context.
>
>
> Please, can be both problems fixed? We are not sure which CRL checking
> method we will finally deploy. It would be nice to have both available.
>
> Thanks
> --
> -----------------------
> Jan Tomasek aka Semik
> http://www.tomasek.cz/
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list