I am trying to set up EAP-TLS using FreeRadius, and I am using EJBCA to
sign my certs.  I have been able to get everything to work correctly
except the CRL.  I have created a directory
/usr/local/etc/raddb/certs/crls where I am storing my CRL info.  In this
directory I have the certificate chain of the signing CA (in pem format)
and the latest CRL for that CA (also in pem format).  After the CRL is
copied into this directory I execute c_rehash on the directory and
everything runs fine.  When I run radiusd, however, all attempts to
authenticate are denied.  The pertinent portion of the output from
radiusd -X -A is :
 
    
rlm_eap_tls: <<< TLS 1.0 Handshake [length 07b8], Certificate 
--> verify error:num=8:CRL signature failure 
rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal decrypt_error 
TLS Alert write:fatal:decrypt error 
TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error
error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is
not 01rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session
fails.
 
 
This seems to tell me that FreeRadius cannot verify the CRL against the
CA cert.  However, when I run:
    openssl crl -in my-crl.pem -inform PEM -CAfile my-cacert.pem -issuer
-lastupdate -nextupdate -noout
it returns verify OK and the correct info on issuer and update times.
 
Also when I run:
    openssl verify -CApath ./ -crl_check test.pem 
it behaves as expected.  
 
Any Ideas?
 
Jeremy Pastin
 
[EMAIL PROTECTED]
312-344-4444
 
First Industrial Realty Trust, Inc.
311 S Wacker Dr
Chicago, IL 60606
 
Phone:  312-344-4425
Fax:  312-895-9425
 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to