[RADIATOR] CRL reload question
Heikki Vatiainen
hvn at open.com.au
Wed Oct 30 16:20:13 CDT 2013
On 10/30/2013 10:39 PM, Markus Moeller wrote:
> I have linked it statically to avoid mixup with system libraries. There
> is no way to check it in another way is there ?
If you have Net::SSLeay newer than 1.42, try putting this in Radiator
configuration:
StartupHook sub { use Net::SSLeay; main::log($main::LOG_INFO, \
"SSL version: " . \
sprintf("0x%x", Net::SSLeay::SSLeay())); }
You should find something like this from Radiator logs:
INFO: SSL version: 0x1000100f
See this for more info:
http://search.cpan.org/~mikem/Net-SSLeay-1.55/lib/Net/SSLeay.pod#Low_level_API:_Version_related_functions
Thanks,
Heikki
> Markus
>
> -----Original Message----- From: Heikki Vatiainen
> Sent: Wednesday, October 30, 2013 5:11 PM
> To: Markus Moeller ; radiator at open.com.au
> Subject: Re: [RADIATOR] CRL reload question
>
> On 10/29/2013 12:41 AM, Markus Moeller wrote:
>
>> I still get the same error with openssl 1.0.1. The CRL on disk is new,
>> but radiator says CRL is expired. Radiator also gives a reload CRL error
>> saying the CRL alredy exists.
>
> Hello Markus,
>
> can you do one more test? Check with 'ldd
> /path/to/auto/Net/SSLeay/SSLeay.so' that it links against the OpenSSL
> libs you expect it to.
>
> Thanks,
> Heikki
>
>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_1.pem'
>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509
>> certificate routines:X509_STORE_add_crl:cert already in hash table
>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_2.pem'
>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_2.pem': error:0B07D065:x509
>> certificate routines:X509_STORE_add_crl:cert already in hash table
>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_4.pem'
>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_4.pem': error:0B07D065:x509
>> certificate routines:X509_STORE_add_crl:cert already in hash table
>> Mon Oct 28 22:20:52 2013: INFO: EAP TLS certificate verification failed:
>> CRL has expired, 19868: 1 - error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>> Mon Oct 28 22:21:23 2013: INFO: EAP TLS certificate verification failed:
>> CRL has expired, 19868: 1 - error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>
>> # ls -al User_CA_2.pem
>> -rwxrwxrwx 1 root root 70699 Oct 28 21:55 User_CA_2.pem
>>
>> # /usr/sfw/bin/openssl crl -in User_CA_2.pem -noout -lastupdate
>> -nextupdate
>> lastUpdate=Oct 28 19:26:37 2013 GMT
>> nextUpdate=Nov 11 19:26:37 2013 GMT
>>
>>
>>
>> Markus
>>
>> -----Original Message----- From: Markus Moeller
>> Sent: Monday, September 30, 2013 10:50 PM
>> To: Heikki Vatiainen ; radiator at open.com.au
>> Subject: Re: [RADIATOR] CRL reload question
>>
>> Hi Heikki,
>>
>> OK I'll try with a later 1.x version.
>>
>> Thank you
>> Markus
>>
>> -----Original Message----- From: Heikki Vatiainen
>> Sent: Monday, September 30, 2013 10:18 PM
>> To: radiator at open.com.au
>> Subject: Re: [RADIATOR] CRL reload question
>>
>> On 09/29/2013 04:52 PM, Markus Moeller wrote:
>>
>>> I would expect something like this:
>>>
>>> If error "already in hashtable"
>>>
>>> $self->log($main::LOG_ERR, "Free old entray and add new CRL";
>>>
>>
>> Hello Markus,
>>
>> we have not looked at CRL reloading lately so I can not tell if the new
>> functions would help with CRL reloading. However, a quick look at
>> OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently
>> in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x
>> and 1.0.0 look promising (OpenSSL changelog):
>>
>> *) Allow multiple CRLs to exist in an X509_STORE with matching issuer
>> names.
>> Modify get_crl() to find a valid (unexpired) CRL if possible.
>> [Steve Henson]
>>
>> *) New function X509_CRL_match() to check if two CRLs are identical.
>> Normally
>> this would be called X509_CRL_cmp() but that name is already used by
>> a function that just compares CRL issuer names. Cache several CRL
>> extensions in X509_CRL structure and cache CRLDP in X509.
>> [Steve Henson]
>>
>> If you plan to test this, can you see if you get different results with
>> OpenSSL 1.0.x versions than 0.9.8x?
>>
>> Thanks,
>> Heikki
>>
>>> loop over objects
>>> my $idx = 0 ?????
>>> for (i = $idx ; i< $cert_store->num; i++) {
>>> my $obj -> $cert_store->data[i];
>>> if (obj->data.crl == $crl->data.crl) {
>>> &Net::SSLeay::X509_CRL_free($obj);
>>> $obj = Net::SSLeay::X509_CRL_new();
>>> $obj->data.crl = $crl;
>>> $cert_store->data[i] = $obj;
>>> break
>>> }
>>> }
>>>
>>> in TLS.pm. I haven’t tried it yet as I haven’t got a dev setup ready,
>>> but wonder if that looks sensible.
>>
>
>
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list