[RADIATOR] CRL reload question

Markus Moeller huaraz at moeller.plus.com
Sun Sep 29 08:52:21 CDT 2013


Hi,

   I would  expect  something like this:

If error "already in hashtable"

$self->log($main::LOG_ERR, "Free old entray and add new CRL";

loop over objects
my $idx = 0 ?????
for (i = $idx ; i< $cert_store->num; i++) {
   my $obj -> $cert_store->data[i];
   if (obj->data.crl == $crl->data.crl) {
       &Net::SSLeay::X509_CRL_free($obj);
       $obj = Net::SSLeay::X509_CRL_new();        
       $obj->data.crl = $crl;
       $cert_store->data[i] = $obj;        
       break
   }
}

in TLS.pm.  I  haven’t tried it yet as I haven’t got a dev setup ready, but wonder if that looks sensible.

Regards
Markus

From: Markus Moeller 
Sent: Sunday, September 29, 2013 1:50 PM
To: radiator at open.com.au 
Subject: Re: [RADIATOR] CRL reload question

Hi,

   Looking at NET-SSLeay-1.55 I found there are now more low level CRL functions Low level API- X509_CRL_- related functions.  Are they or will they be included in a newer Radiator release to clear a CRL and re-load it correctly without server restart ?

Thank you
Markus

From: Markus Moeller 
Sent: Saturday, September 28, 2013 2:55 PM
To: radiator at open.com.au 
Subject: Re: [RADIATOR] CRL reload question

And openssl is 0.9.8x.

From: Markus Moeller 
Sent: Saturday, September 28, 2013 2:45 PM
To: radiator at open.com.au 
Subject: Re: [RADIATOR] CRL reload question

I forgot to say that I use Radiator 4.9

Markus

From: Markus Moeller 
Sent: Saturday, September 28, 2013 2:30 PM
To: radiator at open.com.au 
Subject: [RADIATOR] CRL reload question

Hi,

  I have a setup for EAP TLS using CRLs and have the problem that  an updated CRL is not correctly re-read in some particular situations when the CRL was expired for a moment.  The setup is as follows:



<AuthBy FILE>
  Identifier EapTLS
  # the file is used to check usernames (assuming EAP-TLS certificate checks pass):
  Filename %D/wlan_users
  EAPType TLS

  # WLAN Additional Certificate Check
  EAPTLS_CertificateVerifyHook file:"%D/hooks/check.pl"

  # WLAN root CAs
  EAPTLS_CAFile %{GlobalVar:CertsDir}/all-CAs.pem

  EAPTLS_CertificateType PEM

  # Radiator Cert
  EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server_cert.pem
  # Radiator private key
  EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server_cert.key

  EAPTLS_MaxFragmentSize 1000

  EAPTLS_CRLCheck
  EAPTLS_CRLFile %{GlobalVar:CertsDir}/CA-crl.pem

  AutoMPPEKeys

</AuthBy>


Usually when a client connects I get: 

Wed Sep 18 07:46:04 2013: DEBUG: (Re)loading CRL file '/var/opt/certs/CA-crl.pem'
Wed Sep 18 07:46:04 2013: ERR: Failed to add CRL file '/var/opt/certs/CA-crl.pem': error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table

which despite the error seem to read any updated CRL. ( Or do I have this wrong ? Is this only because it reads the same CRL not an updated CRL) 

Now the CRL is downloaded on an hourly basis and in the situation where the CRL expired during that hour and a client connects I get the error

CRL has expired,  7159: 1 - error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

which I expect, but I would also think that after the new CRL is downloaded (latest an hour after expiry)  the new update CRL should be loaded. If not what would be the recommended way to read a new/updated CRL ?

Thank you
Markus





--------------------------------------------------------------------------------
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator


--------------------------------------------------------------------------------
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator


--------------------------------------------------------------------------------
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator


--------------------------------------------------------------------------------
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20130929/99e5fb68/attachment.html 


More information about the radiator mailing list