[RADIATOR] CRL reload question
Markus Moeller
huaraz at moeller.plus.com
Sat Sep 28 08:30:35 CDT 2013
Hi,
I have a setup for EAP TLS using CRLs and have the problem that an updated CRL is not correctly re-read in some particular situations when the CRL was expired for a moment. The setup is as follows:
<AuthBy FILE>
Identifier EapTLS
# the file is used to check usernames (assuming EAP-TLS certificate checks pass):
Filename %D/wlan_users
EAPType TLS
# WLAN Additional Certificate Check
EAPTLS_CertificateVerifyHook file:"%D/hooks/check.pl"
# WLAN root CAs
EAPTLS_CAFile %{GlobalVar:CertsDir}/all-CAs.pem
EAPTLS_CertificateType PEM
# Radiator Cert
EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server_cert.pem
# Radiator private key
EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server_cert.key
EAPTLS_MaxFragmentSize 1000
EAPTLS_CRLCheck
EAPTLS_CRLFile %{GlobalVar:CertsDir}/CA-crl.pem
AutoMPPEKeys
</AuthBy>
Usually when a client connects I get:
Wed Sep 18 07:46:04 2013: DEBUG: (Re)loading CRL file '/var/opt/certs/CA-crl.pem'
Wed Sep 18 07:46:04 2013: ERR: Failed to add CRL file '/var/opt/certs/CA-crl.pem': error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table
which despite the error seem to read any updated CRL. ( Or do I have this wrong ? Is this only because it reads the same CRL not an updated CRL)
Now the CRL is downloaded on an hourly basis and in the situation where the CRL expired during that hour and a client connects I get the error
CRL has expired, 7159: 1 - error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
which I expect, but I would also think that after the new CRL is downloaded (latest an hour after expiry) the new update CRL should be loaded. If not what would be the recommended way to read a new/updated CRL ?
Thank you
Markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20130928/471f42aa/attachment.html
More information about the radiator
mailing list