[RADIATOR] CRL reload question

Heikki Vatiainen hvn at open.com.au
Mon Sep 30 16:18:51 CDT 2013


On 09/29/2013 04:52 PM, Markus Moeller wrote:

>    I would  expect  something like this:
> 
> If error "already in hashtable"
>
> $self->log($main::LOG_ERR, "Free old entray and add new CRL";
>

Hello Markus,

we have not looked at CRL reloading lately so I can not tell if the new
functions would help with CRL reloading. However, a quick look at
OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently
in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x
and 1.0.0 look promising (OpenSSL changelog):

  *) Allow multiple CRLs to exist in an X509_STORE with matching issuer
names.
     Modify get_crl() to find a valid (unexpired) CRL if possible.
     [Steve Henson]

  *) New function X509_CRL_match() to check if two CRLs are identical.
Normally
     this would be called X509_CRL_cmp() but that name is already used by
     a function that just compares CRL issuer names. Cache several CRL
     extensions in X509_CRL structure and cache CRLDP in X509.
     [Steve Henson]

If you plan to test this, can you see if you get different results with
OpenSSL 1.0.x versions than 0.9.8x?

Thanks,
Heikki

> loop over objects
> my $idx = 0 ?????
> for (i = $idx ; i< $cert_store->num; i++) {
>    my $obj -> $cert_store->data[i];
>    if (obj->data.crl == $crl->data.crl) {
>        &Net::SSLeay::X509_CRL_free($obj);
>        $obj = Net::SSLeay::X509_CRL_new();       
>        $obj->data.crl = $crl;
>        $cert_store->data[i] = $obj;       
>        break
>    }
> }
>  
> in TLS.pm.  I  haven’t tried it yet as I haven’t got a dev setup ready,
> but wonder if that looks sensible.

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list