<div dir="ltr">All, <div><br></div><div>I suppose I should also provide the details I have in the Radiator configuration:</div><div><br></div><div> Protocol tcp<br> UseTLS<br> TLS_Protocols TLSv1.2<br> Secret radsec<br> TLS_CAFile %D/cert/roaming-eduPKI-CA.crt<br> TLS_CertificateFile %D/cert/hostname-eduPKI.pem<br> TLS_CertificateType PEM<br> TLS_PrivateKeyFile %D/cert/hostname-key.pem<br> TLS_PolicyOID [redacted]<br> TLS_RequireClientCert<br> TLS_Ciphers [redacted]<br> TLS_OCSPCheck<br> TLS_OCSPStapling</div><div># TLS_CRLCheck</div><div># TLS_CRLFile %D/cert/cacrl.pem<br></div><div><br></div><div>I would have thought that the TLS_CAFile value would be used by -issuer and -CAfile. I suspect by the error message displayed, that the -CAfile value is not being supplied (and the CA assumed to be in the default CA directory)...</div><div><br></div><div>As before, thoughts are much appreciated :-)</div><div><br></div><div>Stefan</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 15 Aug 2023 at 21:32, Stefan Paetow (OpenSource) <<a href="mailto:oss@eons.net">oss@eons.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi there, <div><br></div><div>So, I've tried to use OCSP validation with the certificates issued by eduPKI (so this covers the majority of eduroam national operators and some identity providers). Radiator didn't like it and kicked up failures. </div><div><br></div><div>I then tried manually verifying and that succeeds, using this command-line: </div><div><br></div><div>openssl ocsp -issuer /etc/radiator/cert/roaming-eduPKI-CA.crt -cert /etc/radiator/cert/hostname-eduPKI.pem -CAfile /etc/radiator/cert/roaming-eduPKI-CA.crt -url <a href="http://ocsp.edupki.org/OCSP-Server/OCSP" target="_blank">http://ocsp.edupki.org/OCSP-Server/OCSP</a><br></div><div><br></div><div>The URL is obviously retrieved from the certificate, but it appears there's something missing when Radiator tries to do an OCSP verify. </div><div><br></div><div>Thoughts? </div><div><br></div><div>With kind regards</div><div><br>Stefan</div><div><br></div></div>
</blockquote></div>