<div dir="ltr">Hi Heikki,<div><br></div><div>This is in the log (I'm running in DEBUG, if you need TRACE, please let me know):</div><div><br></div><div>599943: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamServer: New connection from [IP_ADDRESS] port 37591<br>602499: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Stream connected to [IP_ADDRESS] ([IP_ADDRESS] port 37591)<br>602877: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS sessionInit for [IP_ADDRESS]<br>604329: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS receive:<br>605208: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: before SSL initialization<br>605518: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: before SSL initialization<br>605824: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: before SSL initialization<br>606136: DEBUG: ServerRADSEC (EDUROAM_RADSEC) SSL_accept result: -1, reason/error: 'SSL_ERROR_WANT_READ', state: 'before SSL initialization'<br>606597: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS Server Started for [IP_ADDRESS] ([IP_ADDRESS] port 37591)<br>606885: DEBUG: ServerRADSEC (EDUROAM_RADSEC) New StreamServer Connection created for [IP_ADDRESS] port 37591<br>607573: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS receive: [...]<br>607870: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: before SSL initialization<br>608319: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS read client hello<br>608581: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write server hello<br>609117: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write certificate<br>626293: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write key exchange<br>626717: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write certificate request<br>626958: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write server done<br>627333: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write server done<br>627628: DEBUG: ServerRADSEC (EDUROAM_RADSEC) SSL_accept result: -1, reason/error: 'SSL_ERROR_WANT_READ', state: 'SSLv3/TLS write server done'<br>627994: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS send: [...]<br>636950: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS receive: [...]<br>637410: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write server done<br>638238: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Verifying certificate presented by peer [IP_ADDRESS]<br>638609: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Certificate Issuer Name is /DC=org/DC=edupki/CN=eduPKI CA G 01<br>638884: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Certificate Subject Name is [redacted]<br>639147: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Certificate Serial Number is [redacted]<br>639804: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS sending OCSP request to URI '<a href="http://ocsp.edupki.org/OCSP-Server/OCSP">http://ocsp.edupki.org/OCSP-Server/OCSP</a>' for certificate: 3045300906052b0e03021a05000414e0edac4bf41cfcbce33a156b554e92fac28f0c5c0414d2f223bd4aa17fcfa05884ebfce65b08b3cdb4e4020c2427658a363cc6c6452df2e2<br>034756: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS OCSP response received for certificate: 3045300906052b0e03021a05000414e0edac4bf41cfcbce33a156b554e92fac28f0c5c0414d2f223bd4aa17fcfa05884ebfce65b08b3cdb4e4020c2427658a363cc6c6452df2e2<br>036004: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS OCSP response verification '3045300906052b0e03021a05000414e0edac4bf41cfcbce33a156b554e92fac28f0c5c0414d2f223bd4aa17fcfa05884ebfce65b08b3cdb4e4020c2427658a363cc6c6452df2e2' failed: 0<br>036330: WARNING: ServerRADSEC (EDUROAM_RADSEC) Verifying OCSP response failed for Subject '[redacted]' presented by peer [IP_ADDRESS]<br>036681: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: error<br>036944: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: error<br>037213: DEBUG: ServerRADSEC (EDUROAM_RADSEC) SSL_accept result: -1, reason/error: 'SSL_ERROR_SSL', state: 'error'<br>037592: ERR: ServerRADSEC (EDUROAM_RADSEC) SSL_accept Certificate verification error ([IP_ADDRESS] port 37591): verify error: application verification failure, error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error<br>00000000 error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed<br>037852: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Stream disconnected from [IP_ADDRESS] ([IP_ADDRESS] port 37591)<br></div><div><br></div><div>I've redacted the source IP and the subject. I look at the 'response verification' line (036004) where the result code is 0, which usually means it was successful. </div><div><br></div><div>And yeah, like you say, you use APIs, and I considered whether adding the CA certificate into the trusted store on the machine would make a difference, but it doesn't appear so. Is there possibly an assumption within Net::SSLeay that if you don't specify a certificate somehow to verify the response with that the trusted store is used? :-/</div><div><br></div><div>I will note though that the response does not include a nonce (if the request contains one), although that's not a requirement... This is the case when I use 'openssl verify', so I assume the same applies to the API.</div><div><br></div><div>Kind regards</div><div><br>Stefan</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 16 Aug 2023 at 10:02, Heikki Vatiainen via radiator <<a href="mailto:radiator@lists.open.com.au">radiator@lists.open.com.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 15.8.2023 23.53, Stefan Paetow (OpenSource) via radiator wrote:<br>
<br>
> I suppose I should also provide the details I have in the Radiator <br>
> configuration:<br>
> <br>
> Protocol tcp<br>
> UseTLS<br>
> TLS_Protocols TLSv1.2<br>
> Secret radsec<br>
> TLS_CAFile %D/cert/roaming-eduPKI-CA.crt<br>
> TLS_CertificateFile %D/cert/hostname-eduPKI.pem<br>
> TLS_CertificateType PEM<br>
> TLS_PrivateKeyFile %D/cert/hostname-key.pem<br>
> TLS_PolicyOID [redacted]<br>
> TLS_RequireClientCert<br>
> TLS_Ciphers [redacted]<br>
> TLS_OCSPCheck<br>
> TLS_OCSPStapling<br>
> # TLS_CRLCheck<br>
> # TLS_CRLFile %D/cert/cacrl.pem<br>
> <br>
> I would have thought that the TLS_CAFile value would be used by -issuer <br>
> and -CAfile. I suspect by the error message displayed, that the -CAfile <br>
> value is not being supplied (and the CA assumed to be in the default CA <br>
> directory)...<br>
<br>
Radiator uses OpenSSL APIs via Net::SSLeay for OCSP processing. It <br>
doesn't call 'openssl ocsp ...' to do this.<br>
<br>
You'd need to have Perl LWP::UserAgent module installed for talking to <br>
the OCSP responder (server), that's one external dependency that is <br>
required.<br>
<br>
> As before, thoughts are much appreciated :-)<br>
<br>
If you send me the logs, I can take a further look. It should work even <br>
with the latest OpenSSL 3.1.2, tested with the demo certificates that <br>
come with Radiator, but it's hard to say much more without seeing the logs.<br>
<br>
Thanks,<br>
Heikki<br>
<br>
> Stefan<br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> On Tue, 15 Aug 2023 at 21:32, Stefan Paetow (OpenSource) <<a href="mailto:oss@eons.net" target="_blank">oss@eons.net</a> <br>
> <mailto:<a href="mailto:oss@eons.net" target="_blank">oss@eons.net</a>>> wrote:<br>
> <br>
> Hi there,<br>
> <br>
> So, I've tried to use OCSP validation with the certificates issued<br>
> by eduPKI (so this covers the majority of eduroam national<br>
> operators and some identity providers). Radiator didn't like it and<br>
> kicked up failures.<br>
> <br>
> I then tried manually verifying and that succeeds, using this<br>
> command-line:<br>
> <br>
> openssl ocsp -issuer /etc/radiator/cert/roaming-eduPKI-CA.crt -cert<br>
> /etc/radiator/cert/hostname-eduPKI.pem -CAfile<br>
> /etc/radiator/cert/roaming-eduPKI-CA.crt -url<br>
> <a href="http://ocsp.edupki.org/OCSP-Server/OCSP" rel="noreferrer" target="_blank">http://ocsp.edupki.org/OCSP-Server/OCSP</a><br>
> <<a href="http://ocsp.edupki.org/OCSP-Server/OCSP" rel="noreferrer" target="_blank">http://ocsp.edupki.org/OCSP-Server/OCSP</a>><br>
> <br>
> The URL is obviously retrieved from the certificate, but it appears<br>
> there's something missing when Radiator tries to do an OCSP verify.<br>
> <br>
> Thoughts?<br>
> <br>
> With kind regards<br>
> <br>
> Stefan<br>
> <br>
> <br>
> _______________________________________________<br>
> radiator mailing list<br>
> <a href="mailto:radiator@lists.open.com.au" target="_blank">radiator@lists.open.com.au</a><br>
> <a href="https://lists.open.com.au/mailman/listinfo/radiator" rel="noreferrer" target="_blank">https://lists.open.com.au/mailman/listinfo/radiator</a><br>
<br>
-- <br>
Heikki Vatiainen<br>
OSC, makers of Radiator<br>
Visit <a href="http://radiatorsoftware.com" rel="noreferrer" target="_blank">radiatorsoftware.com</a> for Radiator AAA server software<br>
_______________________________________________<br>
radiator mailing list<br>
<a href="mailto:radiator@lists.open.com.au" target="_blank">radiator@lists.open.com.au</a><br>
<a href="https://lists.open.com.au/mailman/listinfo/radiator" rel="noreferrer" target="_blank">https://lists.open.com.au/mailman/listinfo/radiator</a></blockquote></div>