On 11 Aug 2011, at 20:46, Travis Dimmig wrote: >> Travis Dimmig wrote: >>> Apologies ahead of time if this information is easily available >>> somewhere else, but everything I found seemed to be a few years out of >>> date. Does freeRadius now have the ability to re-read a certificate >>> revocation list, or does it still require a restart after additions to >>> the CRL? >> >> FreeRADIUS uses OpenSSL for all SSL related things. OpenSSL doesn't re- >> load CRLs dynamically. >> >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > OpenSSL does provide a way of outputting the crl to a pem file, though, for > instance. Would it not be possible to point freeRadius to such a file and > have it either monitor for changes or re-read when attempting a certificate > based authentication? A user would be responsible for re-generating that > file when a new certificate is revoked, but freeRadius would not have to be > restarted.
If you think its possible feel free to submit a patch :) - I think support was added for OCSP at least in 3.0, you could probably leverage that if you needed something more dynamic. -Arran Arran Cudbard-Bell [email protected] RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
