[RADIATOR] CRL reload error
Hugh Irvine
hugh at open.com.au
Sat Nov 28 13:38:19 CST 2009
Hello Markus -
You can send a Radiator process a SIGHUP - see section 6 in the Radiator 4.5.1 manual ("doc/ref.pdf").
regards
Hugh
On 28 Nov 2009, at 22:48, Markus Moeller wrote:
>
> ----- Original Message -----
> From: "Mike McCauley" <mikem at open.com.au>
> To: <radiator at open.com.au>
> Cc: "Markus Moeller" <huaraz at moeller.plus.com>
> Sent: Friday, November 27, 2009 9:50 PM
> Subject: Re: [RADIATOR] CRL reload error
>
>
>> Hello Markus,
>>
>> On Saturday 28 November 2009 05:30:46 am Markus Moeller wrote:
>>> I have a setup for wireless for 802.1x with certificates and want to
>>> check
>>> on CRLs. I use:
>>>
>>> EAPTLS_CRLCheck
>>> EAPTLS_CRLFile %D/certs/crls/User_CA_1.pem
>>>
>>>
>>> But when I update the CRL and it gets read again I get the following
>>> error:
>>>
>>> Fri Nov 27 08:19:15 2009: DEBUG: (Re)loading CRL file
>>> '/opt/Radiator/etc/certs/crls/User_CA_1.pem'
>>>
>>> Fri Nov 27 08:19:15 2009: ERR: Failed to add CRL file
>>> '/opt/Radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509
>>> certificate routines:X509_STORE_add_crl:cert already in hash table
>>>
>>> I use NET:SSLeay 1.35 with openssl 0.9.8l. How can I avoid to restart
>>> radiator ?
>>
>> Many (most) versions of openssl have problems when reloading CRLs at run
>> time.
>> Some version fail in the way you describe. Some look like they worked but
>> they continue to use the old CRL.
>>
>> There is a patch available for 0.9.8 in the OpenSSL bugtracker that fixes
>> this problem. When I last check 1.0.0 beta 2, it was not fixed in that
>> version.
>>
>> Hope that helps.
>>
>
> Only partly. I now know why it doesn't work. Is there a workaround in
> Radiator ? (e.g. send a signal to Radiator to close and reopen the CRL
> file - emulate a server restart without stopping the server ?)
>
>> Cheers.
>>
>>>
>>> Thank you
>>>
>>> Markus
>>
>>
>>
>> --
>> Mike McCauley mikem at open.com.au
>> Open System Consultants Pty. Ltd
>> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>> http://www.open.com.au
>> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
>> on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>
>
> Thank you
> Markus
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list