[RADIATOR] CRL reload question
Markus Moeller
huaraz at moeller.plus.com
Sun Sep 29 08:52:21 CDT 2013
Hi,
I would expect something like this:
If error "already in hashtable"
$self->log($main::LOG_ERR, "Free old entray and add new CRL";
loop over objects
my $idx = 0 ?????
for (i = $idx ; i< $cert_store->num; i++) {
my $obj -> $cert_store->data[i];
if (obj->data.crl == $crl->data.crl) {
&Net::SSLeay::X509_CRL_free($obj);
$obj = Net::SSLeay::X509_CRL_new();
$obj->data.crl = $crl;
$cert_store->data[i] = $obj;
break
}
}
in TLS.pm. I haven’t tried it yet as I haven’t got a dev setup ready, but wonder if that looks sensible.
Regards
Markus
From: Markus Moeller
Sent: Sunday, September 29, 2013 1:50 PM
To: radiator at open.com.au
Subject: Re: [RADIATOR] CRL reload question
Hi,
Looking at NET-SSLeay-1.55 I found there are now more low level CRL functions Low level API- X509_CRL_- related functions. Are they or will they be included in a newer Radiator release to clear a CRL and re-load it correctly without server restart ?
Thank you
Markus
From: Markus Moeller
Sent: Saturday, September 28, 2013 2:55 PM
To: radiator at open.com.au
Subject: Re: [RADIATOR] CRL reload question
And openssl is 0.9.8x.
From: Markus Moeller
Sent: Saturday, September 28, 2013 2:45 PM
To: radiator at open.com.au
Subject: Re: [RADIATOR] CRL reload question
I forgot to say that I use Radiator 4.9
Markus
From: Markus Moeller
Sent: Saturday, September 28, 2013 2:30 PM
To: radiator at open.com.au
Subject: [RADIATOR] CRL reload question
Hi,
I have a setup for EAP TLS using CRLs and have the problem that an updated CRL is not correctly re-read in some particular situations when the CRL was expired for a moment. The setup is as follows:
<AuthBy FILE>
Identifier EapTLS
# the file is used to check usernames (assuming EAP-TLS certificate checks pass):
Filename %D/wlan_users
EAPType TLS
# WLAN Additional Certificate Check
EAPTLS_CertificateVerifyHook file:"%D/hooks/check.pl"
# WLAN root CAs
EAPTLS_CAFile %{GlobalVar:CertsDir}/all-CAs.pem
EAPTLS_CertificateType PEM
# Radiator Cert
EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server_cert.pem
# Radiator private key
EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server_cert.key
EAPTLS_MaxFragmentSize 1000
EAPTLS_CRLCheck
EAPTLS_CRLFile %{GlobalVar:CertsDir}/CA-crl.pem
AutoMPPEKeys
</AuthBy>
Usually when a client connects I get:
Wed Sep 18 07:46:04 2013: DEBUG: (Re)loading CRL file '/var/opt/certs/CA-crl.pem'
Wed Sep 18 07:46:04 2013: ERR: Failed to add CRL file '/var/opt/certs/CA-crl.pem': error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table
which despite the error seem to read any updated CRL. ( Or do I have this wrong ? Is this only because it reads the same CRL not an updated CRL)
Now the CRL is downloaded on an hourly basis and in the situation where the CRL expired during that hour and a client connects I get the error
CRL has expired, 7159: 1 - error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
which I expect, but I would also think that after the new CRL is downloaded (latest an hour after expiry) the new update CRL should be loaded. If not what would be the recommended way to read a new/updated CRL ?
Thank you
Markus
--------------------------------------------------------------------------------
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--------------------------------------------------------------------------------
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--------------------------------------------------------------------------------
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--------------------------------------------------------------------------------
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20130929/99e5fb68/attachment.html
More information about the radiator
mailing list