On 10/29/2013 12:41 AM, Markus Moeller wrote:
> I still get the same error with openssl 1.0.1. The CRL on disk is new,
> but radiator says CRL is expired. Radiator also gives a reload CRL error
> saying the CRL alredy exists.
Hello Markus,
can you do one more test? Check with 'ldd
/path/to/auto/Net/SSLeay/SSLeay.so' that it links against the OpenSSL
libs you expect it to.
Thanks,
Heikki
> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
> '/opt/radiator/etc/certs/crls/User_CA_1.pem'
> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
> '/opt/radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509
> certificate routines:X509_STORE_add_crl:cert already in hash table
> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
> '/opt/radiator/etc/certs/crls/User_CA_2.pem'
> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
> '/opt/radiator/etc/certs/crls/User_CA_2.pem': error:0B07D065:x509
> certificate routines:X509_STORE_add_crl:cert already in hash table
> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
> '/opt/radiator/etc/certs/crls/User_CA_4.pem'
> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
> '/opt/radiator/etc/certs/crls/User_CA_4.pem': error:0B07D065:x509
> certificate routines:X509_STORE_add_crl:cert already in hash table
> Mon Oct 28 22:20:52 2013: INFO: EAP TLS certificate verification failed:
> CRL has expired, 19868: 1 - error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> Mon Oct 28 22:21:23 2013: INFO: EAP TLS certificate verification failed:
> CRL has expired, 19868: 1 - error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>
> # ls -al User_CA_2.pem
> -rwxrwxrwx 1 root root 70699 Oct 28 21:55 User_CA_2.pem
>
> # /usr/sfw/bin/openssl crl -in User_CA_2.pem -noout -lastupdate -nextupdate
> lastUpdate=Oct 28 19:26:37 2013 GMT
> nextUpdate=Nov 11 19:26:37 2013 GMT
>
>
>
> Markus
>
> -----Original Message----- From: Markus Moeller
> Sent: Monday, September 30, 2013 10:50 PM
> To: Heikki Vatiainen ; radiator@open.com.au
> Subject: Re: [RADIATOR] CRL reload question
>
> Hi Heikki,
>
> OK I'll try with a later 1.x version.
>
> Thank you
> Markus
>
> -----Original Message----- From: Heikki Vatiainen
> Sent: Monday, September 30, 2013 10:18 PM
> To: radiator@open.com.au
> Subject: Re: [RADIATOR] CRL reload question
>
> On 09/29/2013 04:52 PM, Markus Moeller wrote:
>
>> I would expect something like this:
>>
>> If error "already in hashtable"
>>
>> $self->log($main::LOG_ERR, "Free old entray and add new CRL";
>>
>
> Hello Markus,
>
> we have not looked at CRL reloading lately so I can not tell if the new
> functions would help with CRL reloading. However, a quick look at
> OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently
> in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x
> and 1.0.0 look promising (OpenSSL changelog):
>
> *) Allow multiple CRLs to exist in an X509_STORE with matching issuer
> names.
> Modify get_crl() to find a valid (unexpired) CRL if possible.
> [Steve Henson]
>
> *) New function X509_CRL_match() to check if two CRLs are identical.
> Normally
> this would be called X509_CRL_cmp() but that name is already used by
> a function that just compares CRL issuer names. Cache several CRL
> extensions in X509_CRL structure and cache CRLDP in X509.
> [Steve Henson]
>
> If you plan to test this, can you see if you get different results with
> OpenSSL 1.0.x versions than 0.9.8x?
>
> Thanks,
> Heikki
>
>> loop over objects
>> my $idx = 0 ?????
>> for (i = $idx ; i< $cert_store->num; i++) {
>> my $obj -> $cert_store->data[i];
>> if (obj->data.crl == $crl->data.crl) {
>> &Net::SSLeay::X509_CRL_free($obj);
>> $obj = Net::SSLeay::X509_CRL_new();
>> $obj->data.crl = $crl;
>> $cert_store->data[i] = $obj;
>> break
>> }
>> }
>>
>> in TLS.pm. I haven’t tried it yet as I haven’t got a dev setup ready,
>> but wonder if that looks sensible.
>
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
