On 03/24/2014 11:59 PM, Markus Moeller wrote: > I have setup EAP-TLS for wired 802.1x using CRLCheck, but I noticed that > despite having the certificate serial number in the CRL Radiator still > accepts the presented certificate ( I also can see Radiator re-read the > CRL file) .
Hello Markus, I did some testing, compiled the Net-SSLeay 1.58 and OpenSSL 1.0.1e. I see the same as you: the file change is noticed by Radiator and the file is loaded. The changes, however, do not have any effect. If I just touch the file without changing it, the libs give the 'cert already in hash table' error. > I was trying to verify that the serial numbers match using > the EAPTLS_CertificateVerifyHook function but can’t extract the > certificate serial number. I tried with my $ai = > &Net::SSLeay::X509_get_serialNumber($x509); which I read does not give > the serial number but an ASN.1 encoded string. Does anybody have a tool > which converts it into a serial number which I can compare to the CRL > serial number ? Are thinking of this? my $ai = Net::SSLeay::X509_get_serialNumber($x509); \ my $rv = Net::SSLeay::ASN1_INTEGER_get($ai); \ print "ai: $ai rv: $rv\n"; \ > Does anybody has CRL working for EAP TLS ? It does look like a restart is needed when the CRL is refreshed. The verify against CRL seems to work, but refreshing the CRL without restart looks problematic. Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
