[RADIATOR] CRL reload question

Heikki Vatiainen hvn at open.com.au
Wed Oct 30 12:11:59 CDT 2013 

On 10/29/2013 12:41 AM, Markus Moeller wrote:

>   I still get the same error with openssl 1.0.1. The CRL on disk is new,
> but radiator says CRL is expired. Radiator also gives a reload CRL error
> saying the CRL alredy exists.

Hello Markus,

can you do one more test? Check with 'ldd
/path/to/auto/Net/SSLeay/SSLeay.so' that it links against the OpenSSL
libs you expect it to.

Thanks,
Heikki

> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
> '/opt/radiator/etc/certs/crls/User_CA_1.pem'
> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
> '/opt/radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509
> certificate routines:X509_STORE_add_crl:cert already in hash table
> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
> '/opt/radiator/etc/certs/crls/User_CA_2.pem'
> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
> '/opt/radiator/etc/certs/crls/User_CA_2.pem': error:0B07D065:x509
> certificate routines:X509_STORE_add_crl:cert already in hash table
> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
> '/opt/radiator/etc/certs/crls/User_CA_4.pem'
> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
> '/opt/radiator/etc/certs/crls/User_CA_4.pem': error:0B07D065:x509
> certificate routines:X509_STORE_add_crl:cert already in hash table
> Mon Oct 28 22:20:52 2013: INFO: EAP TLS certificate verification failed:
> CRL has expired,  19868: 1 - error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> Mon Oct 28 22:21:23 2013: INFO: EAP TLS certificate verification failed:
> CRL has expired,  19868: 1 - error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> 
> # ls -al User_CA_2.pem
> -rwxrwxrwx   1 root     root       70699 Oct 28 21:55 User_CA_2.pem
> 
> # /usr/sfw/bin/openssl crl -in User_CA_2.pem -noout -lastupdate -nextupdate
> lastUpdate=Oct 28 19:26:37 2013 GMT
> nextUpdate=Nov 11 19:26:37 2013 GMT
> 
> 
> 
> Markus
> 
> -----Original Message----- From: Markus Moeller
> Sent: Monday, September 30, 2013 10:50 PM
> To: Heikki Vatiainen ; radiator at open.com.au
> Subject: Re: [RADIATOR] CRL reload question
> 
> Hi Heikki,
> 
>   OK I'll try with a later 1.x version.
> 
> Thank you
> Markus
> 
> -----Original Message----- From: Heikki Vatiainen
> Sent: Monday, September 30, 2013 10:18 PM
> To: radiator at open.com.au
> Subject: Re: [RADIATOR] CRL reload question
> 
> On 09/29/2013 04:52 PM, Markus Moeller wrote:
> 
>>    I would  expect  something like this:
>>
>> If error "already in hashtable"
>>
>> $self->log($main::LOG_ERR, "Free old entray and add new CRL";
>>
> 
> Hello Markus,
> 
> we have not looked at CRL reloading lately so I can not tell if the new
> functions would help with CRL reloading. However, a quick look at
> OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently
> in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x
> and 1.0.0 look promising (OpenSSL changelog):
> 
>  *) Allow multiple CRLs to exist in an X509_STORE with matching issuer
> names.
>     Modify get_crl() to find a valid (unexpired) CRL if possible.
>     [Steve Henson]
> 
>  *) New function X509_CRL_match() to check if two CRLs are identical.
> Normally
>     this would be called X509_CRL_cmp() but that name is already used by
>     a function that just compares CRL issuer names. Cache several CRL
>     extensions in X509_CRL structure and cache CRLDP in X509.
>     [Steve Henson]
> 
> If you plan to test this, can you see if you get different results with
> OpenSSL 1.0.x versions than 0.9.8x?
> 
> Thanks,
> Heikki
> 
>> loop over objects
>> my $idx = 0 ?????
>> for (i = $idx ; i< $cert_store->num; i++) {
>>    my $obj -> $cert_store->data[i];
>>    if (obj->data.crl == $crl->data.crl) {
>>        &Net::SSLeay::X509_CRL_free($obj);
>>        $obj = Net::SSLeay::X509_CRL_new();
>>        $obj->data.crl = $crl;
>>        $cert_store->data[i] = $obj;
>>        break
>>    }
>> }
>>
>> in TLS.pm.  I  haven’t tried it yet as I haven’t got a dev setup ready,
>> but wonder if that looks sensible.
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list