On 6/1/06, sumi thra <[EMAIL PROTECTED]> wrote:
Any body knows how to revoke the certificates? what changes needs to be
done in the freeradius eap.conf file.
No possible changes there will help you in that purpose. Having said
that, I'd like to provide some details I found while digging around
out of curiosity.
Unless mentioned otherwise I'm speaking of freeradius-1.1.1 (.deb
built using released debian subdir) and openssl 0.9.8b (debian/sid).
freeradius uses X509_V_FLAG_CRL_CHECK in
src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c which will only
check a crl for the last entity in a certificate chain according to
http://www.mail-archive.com/[email protected]/msg42197.html .
I didn't find any spec/rfc/etc that commands this behaviour, but I
think of Dr Henson as being quite authoritative on that issue :)
So I tested an added (better: ORed) X509_V_FLAG_CRL_CHECK_ALL and got
the behaviour the OP wanted: checked crls for (all) CAs in a chain.
PEM ones worked.
While I'm not convinced that this makes sense for a (explicitly
trusted) root-CA (the revoked-to-be cert signs the revocation) I do
see a valid use case for honoring revoked intermediate CAs. Despite
RFC2716 6.1 speaking about revoked client certificates only, I think
it would be desirable to incorporate the rationale behind the whole
TLS stuff (RFC2246 D.3). Up to now I didn't look much further for
updated/contradicting related specifications. Any hints?
A quick look into 1.1.2 left me with the impression that nothing would
prevent the same modification there. But before eventually filing some
wishlist bug with a more detailed patch, I'd like to read some
comments on the whole issue, esp. concerning the following:
openssl ca -gencrl -keyfile ./privatekey.pem -cert cacert.pem revoke
cacert.pem -out crl.pem
Not sure what OP is exactly doing here.
Presuming X509_V_FLAG_CRL_CHECK_ALL shall be used, should it also
honor crls for root CAs (as it would do out of the box)? configurable
choice maybe?
Furthermore hash-linked crls for all possible CAs must be provided in
CA_path otherwise TLS will fail regardless of validity of offered
certs.
1. copied ca & crl to ./ directory( my ca & crl files are in current
directory )
2. c_rehash ./
tls {
...
CA_file = ./cacert.pem
CA_path = ./
check_crl = yes
}
I was too lazy to check if relative paths do work here. Checking with
absolute ones led to the following caveat: if you combine the needed
cr's in one file by concatenating c_rehash does only generate one
hashname link by virtue of 'openssl crl [...] -hash' providing only
(the first?) one. Adding the appropriately named missing ones manually
does work.
regards
K. Hoercher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
