> Travis Dimmig wrote: > > Apologies ahead of time if this information is easily available > > somewhere else, but everything I found seemed to be a few years out of > > date. Does freeRadius now have the ability to re-read a certificate > > revocation list, or does it still require a restart after additions to > > the CRL? > > FreeRADIUS uses OpenSSL for all SSL related things. OpenSSL doesn't re- > load CRLs dynamically. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html
OpenSSL does provide a way of outputting the crl to a pem file, though, for instance. Would it not be possible to point freeRadius to such a file and have it either monitor for changes or re-read when attempting a certificate based authentication? A user would be responsible for re-generating that file when a new certificate is revoked, but freeRadius would not have to be restarted. If this question is off the mark, it is probably because I don't know how freeRadius interacts with OpenSSL for certification validation. Can you explain to me how freeRadius currently checks if a certificate is valid or revoked? Travis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
