Hello Simon, since the ocsp url is http , you could capture the traffic and see what happens exactly.
Regards Fabrice Le mar. 1 févr. 2022 à 12:54, Simon Sutcliffe via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Hi Team > > > > Another day another issue with our lab that we cannot get to the bottom of > with the logging and a bit of tracing. > > > > We have a fully functioning EAP-TLS solution working without having OSCP > enabled. > > > > When we enable the OSCP checking the radius returns a reject. This is > because we have not enabled softfail in the OSCP profile and there is an > error happening. > > * Radius Logging shows the following* > > Starting OCSP Request > > Debug: eap_tls: ocsp: Using responder URL > http://pki-2020.corporateroot.net:80/ocsp > > ERROR: eap_tls: ocsp: Couldn't verify OCSP basic response > > ERROR: eap_tls: (TLS) ocsp: Certificate has been expired/revoked > > ERROR: eap_tls: (TLS) Alert write:fatal:internal error > > ERROR: eap_tls: (TLS) Server : Error in error > > ERROR: eap_tls: (TLS) Failed reading from OpenSSL > > ERROR: eap_tls: (TLS) error:27069065:OCSP > routines:OCSP_basic_verify:certificate verify error > > ERROR: eap_tls: (TLS) error:1417C086:SSL > routines:tls_process_client_certificate:certificate verify failed > > ERROR: eap_tls: (TLS) System call (I/O) error (-1) > > ERROR: eap_tls: (TLS) EAP Receive handshake failed during operation > > ERROR: eap_tls: [eaptls process] = fail > > > > We are using a MS PKI and are aware that we have not enabled NONCE > > > > But in the OSCP profile we have also made sure we do not have it enabled. > > > > [image: Graphical user interface, text, application Description > automatically generated] > > > > We have also made sure the Radius Server has a valid certificate just to > be sure (Lets Encrypt) > > > > This is what is presented in the Audit > > > > [image: Graphical user interface, text, application Description > automatically generated] > > Matches the logging. > > > > Any clues where we need to be. > > > > Kind Regards > > > > Simon > > > > *Simon Sutcliffe* > *IT Architect, Workplace Solutions* > > *T *+44 1733 336600 | *M *+44 7775 823368 | *E* simon.sutcli...@rhdhv.com > | *W* www.royalhaskoningdhv.com > HaskoningDHV UK Ltd., a company of *Royal HaskoningDHV* > > > > > Royal HaskoningDHV - Internal Use Only > This email and any attachments are intended solely for the use of the > addressee(s); disclosure or copying by others than the intended person(s) > is strictly prohibited. If you have received this email in error, please > treat this email as confidential, notify the sender and delete all copies > of the email immediately > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
