[RADIATOR] CRL reload question

Markus Moeller huaraz at moeller.plus.com
Mon Sep 30 16:50:58 CDT 2013


Hi Heikki,

   OK I'll try with a later 1.x version.

Thank you
Markus

-----Original Message----- 
From: Heikki Vatiainen
Sent: Monday, September 30, 2013 10:18 PM
To: radiator at open.com.au
Subject: Re: [RADIATOR] CRL reload question

On 09/29/2013 04:52 PM, Markus Moeller wrote:

>    I would  expect  something like this:
>
> If error "already in hashtable"
>
> $self->log($main::LOG_ERR, "Free old entray and add new CRL";
>

Hello Markus,

we have not looked at CRL reloading lately so I can not tell if the new
functions would help with CRL reloading. However, a quick look at
OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently
in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x
and 1.0.0 look promising (OpenSSL changelog):

  *) Allow multiple CRLs to exist in an X509_STORE with matching issuer
names.
     Modify get_crl() to find a valid (unexpired) CRL if possible.
     [Steve Henson]

  *) New function X509_CRL_match() to check if two CRLs are identical.
Normally
     this would be called X509_CRL_cmp() but that name is already used by
     a function that just compares CRL issuer names. Cache several CRL
     extensions in X509_CRL structure and cache CRLDP in X509.
     [Steve Henson]

If you plan to test this, can you see if you get different results with
OpenSSL 1.0.x versions than 0.9.8x?

Thanks,
Heikki

> loop over objects
> my $idx = 0 ?????
> for (i = $idx ; i< $cert_store->num; i++) {
>    my $obj -> $cert_store->data[i];
>    if (obj->data.crl == $crl->data.crl) {
>        &Net::SSLeay::X509_CRL_free($obj);
>        $obj = Net::SSLeay::X509_CRL_new();
>        $obj->data.crl = $crl;
>        $cert_store->data[i] = $obj;
>        break
>    }
> }
>
> in TLS.pm.  I  haven’t tried it yet as I haven’t got a dev setup ready,
> but wonder if that looks sensible.

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator




More information about the radiator mailing list