Hello,
for all of you who are not happy (as I wasn't) that Freeradius doesn't verify
Certificate Revocation Lists.
1. Apply this patch (based on Freeradius 0.8 diff -c)
*** src/modules/rlm_eap/types/rlm_eap_tls/tls.c.orig Wed Jun 11 14:56:09 2003
--- src/modules/rlm_eap/types/rlm_eap_tls/tls.c Thu Jun 12 16:08:19 2003
***************
*** 75,80 ****
--- 75,82 ----
int verify_mode = 0;
int ctx_options = 0;
int type;
+ /* CRL validation Jun 11 2003 ivandolezal */
+ X509_STORE *store = NULL;
/*
* Add all the default ciphers and message digests
***************
*** 102,107 ****
--- 104,113 ----
radlog(L_ERR, "rlm_eap_tls: Error reading Trusted root CA
list");
return NULL;
}
+ /* CRL validation Jun 11 2003 ivandolezal */
+ store = SSL_CTX_get_cert_store(ctx);
+ X509_STORE_set_flags(store,
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
/*
recompile, reinstall, restart
2. Glue periodically your current crl.pem to the end of CA Certificate. Put the
result to root.pem in freeradius, otherwise you could get "unable to get
certificate CRL".
3. Send me an e-mail postcard or something. No spam, please. :-)
Ivan Dolezal
Computer Center
VSB - Technical University of Ostrava
Czech Republic
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
