Hi Fabrice Yes will do so. I think we already did that in the lab but let me confirm. I will arrange the wireshark trace and send it offlist
Kind Regards Simon Royal HaskoningDHV - Internal Use Only From: Fabrice Durand <oeufd...@gmail.com> Sent: 02 February 2022 13:14 To: packetfence-users <packetfence-users@lists.sourceforge.net> Cc: Simon Sutcliffe <simon.sutcli...@rhdhv.com> Subject: Re: [PacketFence-users] OSCP not functioning to MS PKI This message was sent from a public domain email service such as Gmail, Yahoo!, AOL, etc. Please be cautious. Hello Simon, since the ocsp url is http , you could capture the traffic and see what happens exactly. Regards Fabrice Le mar. 1 févr. 2022 à 12:54, Simon Sutcliffe via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> a écrit : Hi Team Another day another issue with our lab that we cannot get to the bottom of with the logging and a bit of tracing. We have a fully functioning EAP-TLS solution working without having OSCP enabled. When we enable the OSCP checking the radius returns a reject. This is because we have not enabled softfail in the OSCP profile and there is an error happening. Radius Logging shows the following Starting OCSP Request Debug: eap_tls: ocsp: Using responder URL http://pki-2020.corporateroot.net:80/ocsp ERROR: eap_tls: ocsp: Couldn't verify OCSP basic response ERROR: eap_tls: (TLS) ocsp: Certificate has been expired/revoked ERROR: eap_tls: (TLS) Alert write:fatal:internal error ERROR: eap_tls: (TLS) Server : Error in error ERROR: eap_tls: (TLS) Failed reading from OpenSSL ERROR: eap_tls: (TLS) error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error ERROR: eap_tls: (TLS) error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed ERROR: eap_tls: (TLS) System call (I/O) error (-1) ERROR: eap_tls: (TLS) EAP Receive handshake failed during operation ERROR: eap_tls: [eaptls process] = fail We are using a MS PKI and are aware that we have not enabled NONCE But in the OSCP profile we have also made sure we do not have it enabled. [Graphical user interface, text, application Description automatically generated] We have also made sure the Radius Server has a valid certificate just to be sure (Lets Encrypt) This is what is presented in the Audit [Graphical user interface, text, application Description automatically generated] Matches the logging. Any clues where we need to be. Kind Regards Simon Simon Sutcliffe IT Architect, Workplace Solutions T +44 1733 336600 | M +44 7775 823368 | E simon.sutcli...@rhdhv.com<mailto:simon.sutcli...@rhdhv.com> | W www.royalhaskoningdhv.com<http://www.royalhaskoningdhv.com/> HaskoningDHV UK Ltd., a company of Royal HaskoningDHV [cid:image003.jpg@01D8183B.B10D3700] Royal HaskoningDHV - Internal Use Only This email and any attachments are intended solely for the use of the addressee(s); disclosure or copying by others than the intended person(s) is strictly prohibited. If you have received this email in error, please treat this email as confidential, notify the sender and delete all copies of the email immediately _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users This email and any attachments are intended solely for the use of the addressee(s); disclosure or copying by others than the intended person(s) is strictly prohibited. If you have received this email in error, please treat this email as confidential, notify the sender and delete all copies of the email immediately
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
