[RADIATOR] CRL reload question

Hartmaier Alexander alexander.hartmaier at t-systems.at
Thu Oct 31 03:16:30 CDT 2013 

This is a more human friendly output:

/$path/to/perl/used/by/radiator/perl -MNet::SSLeay -E 'say
Net::SSLeay::SSLeay_version()'

On 2013-10-30 23:25, Markus Moeller wrote:
> Hi Heikki,
>
>    Thank you for that.  Despite my attempts to use the latest static openssl
> library I used an old one :-(. I will retest.
>
> Markus
>
> -----Original Message-----
> From: Heikki Vatiainen
> Sent: Wednesday, October 30, 2013 9:20 PM
> To: Markus Moeller ; radiator at open.com.au
> Subject: Re: [RADIATOR] CRL reload question
>
> On 10/30/2013 10:39 PM, Markus Moeller wrote:
>
>>  I have linked it statically to avoid mixup with system libraries. There
>> is no way to check it in another way is there ?
> If you have Net::SSLeay newer than 1.42, try putting this in Radiator
> configuration:
>
> StartupHook sub { use Net::SSLeay; main::log($main::LOG_INFO, \
>                   "SSL version: " . \
>                   sprintf("0x%x", Net::SSLeay::SSLeay())); }
>
> You should find something like this from Radiator logs:
>
>    INFO: SSL version: 0x1000100f
>
> See this for more info:
> http://search.cpan.org/~mikem/Net-SSLeay-1.55/lib/Net/SSLeay.pod#Low_level_API:_Version_related_functions
>
> Thanks,
> Heikki
>
>
>> Markus
>>
>> -----Original Message----- From: Heikki Vatiainen
>> Sent: Wednesday, October 30, 2013 5:11 PM
>> To: Markus Moeller ; radiator at open.com.au
>> Subject: Re: [RADIATOR] CRL reload question
>>
>> On 10/29/2013 12:41 AM, Markus Moeller wrote:
>>
>>>   I still get the same error with openssl 1.0.1. The CRL on disk is new,
>>> but radiator says CRL is expired. Radiator also gives a reload CRL error
>>> saying the CRL alredy exists.
>> Hello Markus,
>>
>> can you do one more test? Check with 'ldd
>> /path/to/auto/Net/SSLeay/SSLeay.so' that it links against the OpenSSL
>> libs you expect it to.
>>
>> Thanks,
>> Heikki
>>
>>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>>> '/opt/radiator/etc/certs/crls/User_CA_1.pem'
>>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>>> '/opt/radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509
>>> certificate routines:X509_STORE_add_crl:cert already in hash table
>>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>>> '/opt/radiator/etc/certs/crls/User_CA_2.pem'
>>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>>> '/opt/radiator/etc/certs/crls/User_CA_2.pem': error:0B07D065:x509
>>> certificate routines:X509_STORE_add_crl:cert already in hash table
>>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>>> '/opt/radiator/etc/certs/crls/User_CA_4.pem'
>>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>>> '/opt/radiator/etc/certs/crls/User_CA_4.pem': error:0B07D065:x509
>>> certificate routines:X509_STORE_add_crl:cert already in hash table
>>> Mon Oct 28 22:20:52 2013: INFO: EAP TLS certificate verification failed:
>>> CRL has expired,  19868: 1 - error:140890B2:SSL
>>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>> Mon Oct 28 22:21:23 2013: INFO: EAP TLS certificate verification failed:
>>> CRL has expired,  19868: 1 - error:140890B2:SSL
>>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>>
>>> # ls -al User_CA_2.pem
>>> -rwxrwxrwx   1 root     root       70699 Oct 28 21:55 User_CA_2.pem
>>>
>>> # /usr/sfw/bin/openssl crl -in User_CA_2.pem -noout -lastupdate
>>> -nextupdate
>>> lastUpdate=Oct 28 19:26:37 2013 GMT
>>> nextUpdate=Nov 11 19:26:37 2013 GMT
>>>
>>>
>>>
>>> Markus
>>>
>>> -----Original Message----- From: Markus Moeller
>>> Sent: Monday, September 30, 2013 10:50 PM
>>> To: Heikki Vatiainen ; radiator at open.com.au
>>> Subject: Re: [RADIATOR] CRL reload question
>>>
>>> Hi Heikki,
>>>
>>>   OK I'll try with a later 1.x version.
>>>
>>> Thank you
>>> Markus
>>>
>>> -----Original Message----- From: Heikki Vatiainen
>>> Sent: Monday, September 30, 2013 10:18 PM
>>> To: radiator at open.com.au
>>> Subject: Re: [RADIATOR] CRL reload question
>>>
>>> On 09/29/2013 04:52 PM, Markus Moeller wrote:
>>>
>>>>    I would  expect  something like this:
>>>>
>>>> If error "already in hashtable"
>>>>
>>>> $self->log($main::LOG_ERR, "Free old entray and add new CRL";
>>>>
>>> Hello Markus,
>>>
>>> we have not looked at CRL reloading lately so I can not tell if the new
>>> functions would help with CRL reloading. However, a quick look at
>>> OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently
>>> in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x
>>> and 1.0.0 look promising (OpenSSL changelog):
>>>
>>>  *) Allow multiple CRLs to exist in an X509_STORE with matching issuer
>>> names.
>>>     Modify get_crl() to find a valid (unexpired) CRL if possible.
>>>     [Steve Henson]
>>>
>>>  *) New function X509_CRL_match() to check if two CRLs are identical.
>>> Normally
>>>     this would be called X509_CRL_cmp() but that name is already used by
>>>     a function that just compares CRL issuer names. Cache several CRL
>>>     extensions in X509_CRL structure and cache CRLDP in X509.
>>>     [Steve Henson]
>>>
>>> If you plan to test this, can you see if you get different results with
>>> OpenSSL 1.0.x versions than 0.9.8x?
>>>
>>> Thanks,
>>> Heikki
>>>
>>>> loop over objects
>>>> my $idx = 0 ?????
>>>> for (i = $idx ; i< $cert_store->num; i++) {
>>>>    my $obj -> $cert_store->data[i];
>>>>    if (obj->data.crl == $crl->data.crl) {
>>>>        &Net::SSLeay::X509_CRL_free($obj);
>>>>        $obj = Net::SSLeay::X509_CRL_new();
>>>>        $obj->data.crl = $crl;
>>>>        $cert_store->data[i] = $obj;
>>>>        break
>>>>    }
>>>> }
>>>>
>>>> in TLS.pm.  I  haven’t tried it yet as I haven’t got a dev setup ready,
>>>> but wonder if that looks sensible.
>>
>



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*

More information about the radiator mailing list