[RADIATOR] CRL reload error
Alexander Hartmaier
alexander.hartmaier at t-systems.at
Mon Mar 26 03:14:08 CDT 2012
Hi Heikki,
Am 2012-03-22 17:16, schrieb Heikki Vatiainen:
> On 03/21/2012 12:11 PM, Alexander Hartmaier wrote:
>
>> Now that our dot1x and WLAN Radiator needs to check three different crls
>> I've looked into a better solution for refreshing them.
>> While reading Radius::TLS I've stumbled over the method reloadCrls which
>> claims to reload the crl if the timestamp changes. Has this ever worked?
> I asked about this, and this is the current situation: The code in
> Radiator works and is enabled (if so configured) by default. So the code
> for checking CRLs is there without modifications to Radiator sources.
>
> If the check really happens as expected depends on OpenSSL library.
> There is a patch for a 0.9.? version, but it doesnt work in 1.0. It
> could be that some distributions have applied the patch themselves, so
> the situation is not very clear. There are a couple of entries in
> OpenSSL request tracker, but it does not look like they have been processed.
>
> You could try to see if it works on your system.
I didn't find anything regarding autoloading of the crl in the openssl
changelog so the patch must still be not mainline.
We're using Debian Squeeze (6) on the server with openssl from the
testing tree to get openssl 1.0.0 which is now at version 1.0.0h.
Is OCSP an option instead of a crl? Can Radiator use OCSP?
>
>> In the contextInit method you've put a note # REVISIT: what if a CRL
>> changes while we are running?
> Hmm, that might be a little older comment, I'll check that too.
>
>> I'm trying to restart Radiator as rarely as possible to not terminate an
>> ongoing EAP communication but the crls all have different expiration
>> dates (two have a lifetime of a day, the third of a week which will
>> probabliy also changed to a day or less).
> That's very understandable.
>
> Heikki
>
>> Best regards, Alex
>>
>>
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>> Handelsgericht Wien, FN 79340b
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> Notice: This e-mail contains information that is confidential and may be privileged.
>> If you are not the intended recipient, please notify the sender and then
>> delete this e-mail immediately.
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
More information about the radiator
mailing list