[RADIATOR] CRLs not working with EAP TLS
Heikki Vatiainen
hvn at open.com.au
Wed Mar 26 16:09:06 CDT 2014
On 03/24/2014 11:59 PM, Markus Moeller wrote:
> I have setup EAP-TLS for wired 802.1x using CRLCheck, but I noticed that
> despite having the certificate serial number in the CRL Radiator still
> accepts the presented certificate ( I also can see Radiator re-read the
> CRL file) .
Hello Markus,
I did some testing, compiled the Net-SSLeay 1.58 and OpenSSL 1.0.1e. I
see the same as you: the file change is noticed by Radiator and the file
is loaded. The changes, however, do not have any effect.
If I just touch the file without changing it, the libs give the 'cert
already in hash table' error.
> I was trying to verify that the serial numbers match using
> the EAPTLS_CertificateVerifyHook function but can’t extract the
> certificate serial number. I tried with my $ai =
> &Net::SSLeay::X509_get_serialNumber($x509); which I read does not give
> the serial number but an ASN.1 encoded string. Does anybody have a tool
> which converts it into a serial number which I can compare to the CRL
> serial number ?
Are thinking of this?
my $ai = Net::SSLeay::X509_get_serialNumber($x509); \
my $rv = Net::SSLeay::ASN1_INTEGER_get($ai); \
print "ai: $ai rv: $rv\n"; \
> Does anybody has CRL working for EAP TLS ?
It does look like a restart is needed when the CRL is refreshed. The
verify against CRL seems to work, but refreshing the CRL without restart
looks problematic.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list