[RADIATOR] CRL reload error

Markus Moeller huaraz at moeller.plus.com
Sat Nov 28 05:48:20 CST 2009 

----- Original Message ----- 
From: "Mike McCauley" <mikem at open.com.au>
To: <radiator at open.com.au>
Cc: "Markus Moeller" <huaraz at moeller.plus.com>
Sent: Friday, November 27, 2009 9:50 PM
Subject: Re: [RADIATOR] CRL reload error


> Hello Markus,
>
> On Saturday 28 November 2009 05:30:46 am Markus Moeller wrote:
>> I have a setup for wireless for 802.1x with certificates and want to 
>> check
>> on CRLs. I use:
>>
>> EAPTLS_CRLCheck
>> EAPTLS_CRLFile %D/certs/crls/User_CA_1.pem
>>
>>
>> But when I update the CRL and it gets read again I get the following 
>> error:
>>
>> Fri Nov 27 08:19:15 2009: DEBUG: (Re)loading CRL file
>> '/opt/Radiator/etc/certs/crls/User_CA_1.pem'
>>
>> Fri Nov 27 08:19:15 2009: ERR: Failed to add CRL file
>> '/opt/Radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509
>> certificate routines:X509_STORE_add_crl:cert already in hash table
>>
>> I use NET:SSLeay 1.35 with openssl 0.9.8l. How can I avoid to restart
>> radiator ?
>
> Many (most) versions of openssl have problems when reloading CRLs at run 
> time.
> Some version fail in the way you describe. Some look like they worked but
> they continue to use the old CRL.
>
> There is a patch available for 0.9.8  in the OpenSSL bugtracker that fixes
> this problem. When I last check 1.0.0 beta 2, it was not fixed in that
> version.
>
> Hope that helps.
>

Only partly. I now know why it doesn't work. Is there a workaround in 
Radiator ? (e.g. send a signal to Radiator to close and reopen the CRL 
file - emulate a server restart without stopping the server ?)

> Cheers.
>
>>
>> Thank you
>>
>> Markus
>
>
>
> -- 
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia 
> http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
> on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>

Thank you
Markus

More information about the radiator mailing list