[RADIATOR] CRL reload error

Mike McCauley mikem at open.com.au
Sat Nov 28 18:38:58 CST 2009 

Hello Markus,

On Saturday 28 November 2009 09:48:20 pm Markus Moeller wrote:
> ----- Original Message -----
> From: "Mike McCauley" <mikem at open.com.au>
> To: <radiator at open.com.au>
> Cc: "Markus Moeller" <huaraz at moeller.plus.com>
> Sent: Friday, November 27, 2009 9:50 PM
> Subject: Re: [RADIATOR] CRL reload error
>
> > Hello Markus,
> >
> > On Saturday 28 November 2009 05:30:46 am Markus Moeller wrote:
> >> I have a setup for wireless for 802.1x with certificates and want to
> >> check
> >> on CRLs. I use:
> >>
> >> EAPTLS_CRLCheck
> >> EAPTLS_CRLFile %D/certs/crls/User_CA_1.pem
> >>
> >>
> >> But when I update the CRL and it gets read again I get the following
> >> error:
> >>
> >> Fri Nov 27 08:19:15 2009: DEBUG: (Re)loading CRL file
> >> '/opt/Radiator/etc/certs/crls/User_CA_1.pem'
> >>
> >> Fri Nov 27 08:19:15 2009: ERR: Failed to add CRL file
> >> '/opt/Radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509
> >> certificate routines:X509_STORE_add_crl:cert already in hash table
> >>
> >> I use NET:SSLeay 1.35 with openssl 0.9.8l. How can I avoid to restart
> >> radiator ?
> >
> > Many (most) versions of openssl have problems when reloading CRLs at run
> > time.
> > Some version fail in the way you describe. Some look like they worked but
> > they continue to use the old CRL.
> >
> > There is a patch available for 0.9.8  in the OpenSSL bugtracker that
> > fixes this problem. When I last check 1.0.0 beta 2, it was not fixed in
> > that version.
> >
> > Hope that helps.
>
> Only partly. I now know why it doesn't work. Is there a workaround in
> Radiator ? (e.g. send a signal to Radiator to close and reopen the CRL
> file - emulate a server restart without stopping the server ?)

Alas, in the affected versions, openssl keeps the CRLs cached in its memory, 
and we have not yet been able t find a way to convince it otherwise.

Cheers.


>
> > Cheers.
> >
> >> Thank you
> >>
> >> Markus
> >
> > --
> > Mike McCauley                               mikem at open.com.au
> > Open System Consultants Pty. Ltd
> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > http://www.open.com.au
> > Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
> > on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
> Thank you
> Markus



-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list