Hi,
I have a setup for EAP TLS using CRLs and have the problem that an updated
CRL is not correctly re-read in some particular situations when the CRL was
expired for a moment. The setup is as follows:
<AuthBy FILE>
Identifier EapTLS
# the file is used to check usernames (assuming EAP-TLS certificate checks
pass):
Filename %D/wlan_users
EAPType TLS
# WLAN Additional Certificate Check
EAPTLS_CertificateVerifyHook file:"%D/hooks/check.pl"
# WLAN root CAs
EAPTLS_CAFile %{GlobalVar:CertsDir}/all-CAs.pem
EAPTLS_CertificateType PEM
# Radiator Cert
EAPTLS_CertificateFile %{GlobalVar:CertsDir}/server_cert.pem
# Radiator private key
EAPTLS_PrivateKeyFile %{GlobalVar:CertsDir}/server_cert.key
EAPTLS_MaxFragmentSize 1000
EAPTLS_CRLCheck
EAPTLS_CRLFile %{GlobalVar:CertsDir}/CA-crl.pem
AutoMPPEKeys
</AuthBy>
Usually when a client connects I get:
Wed Sep 18 07:46:04 2013: DEBUG: (Re)loading CRL file
'/var/opt/certs/CA-crl.pem'
Wed Sep 18 07:46:04 2013: ERR: Failed to add CRL file
'/var/opt/certs/CA-crl.pem': error:0B07D065:x509 certificate
routines:X509_STORE_add_crl:cert already in hash table
which despite the error seem to read any updated CRL. ( Or do I have this wrong
? Is this only because it reads the same CRL not an updated CRL)
Now the CRL is downloaded on an hourly basis and in the situation where the CRL
expired during that hour and a client connects I get the error
CRL has expired, 7159: 1 - error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
which I expect, but I would also think that after the new CRL is downloaded
(latest an hour after expiry) the new update CRL should be loaded. If not what
would be the recommended way to read a new/updated CRL ?
Thank you
Markus
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
