Re: [RADIATOR] OCSP validation

[Heikki Vatiainen via radiator]

On 15.8.2023 23.53, Stefan Paetow (OpenSource) via radiator wrote:
I suppose I should also provide the details I have in the Radiator 
configuration:

         Protocol tcp
         UseTLS
         TLS_Protocols TLSv1.2
         Secret radsec
         TLS_CAFile %D/cert/roaming-eduPKI-CA.crt
         TLS_CertificateFile %D/cert/hostname-eduPKI.pem
         TLS_CertificateType PEM
         TLS_PrivateKeyFile %D/cert/hostname-key.pem
         TLS_PolicyOID [redacted]
         TLS_RequireClientCert
         TLS_Ciphers [redacted]
         TLS_OCSPCheck
         TLS_OCSPStapling
#        TLS_CRLCheck
#        TLS_CRLFile %D/cert/cacrl.pem

I would have thought that the TLS_CAFile value would be used by -issuer 
and -CAfile. I suspect by the error message displayed, that the -CAfile 
value is not being supplied (and the CA assumed to be in the default CA 
directory)...

Radiator uses OpenSSL APIs via Net::SSLeay for OCSP processing. It 
doesn't call 'openssl ocsp ...' to do this.

You'd need to have Perl LWP::UserAgent module installed for talking to 
the OCSP responder (server), that's one external dependency that is 
required.

As before, thoughts are much appreciated :-)

If you send me the logs, I can take a further look. It should work even 
with the latest OpenSSL 3.1.2, tested with the demo certificates that 
come with Radiator, but it's hard to say much more without seeing the logs.

Thanks,
Heikki

Stefan






On Tue, 15 Aug 2023 at 21:32, Stefan Paetow (OpenSource) <o...@eons.net 
<mailto:o...@eons.net>> wrote:

    Hi there,

    So, I've tried to use OCSP validation with the certificates issued
    by eduPKI (so this covers the  majority of eduroam national
    operators and some identity providers). Radiator didn't like it and
    kicked up failures.

    I then tried manually verifying and that succeeds, using this
    command-line:

    openssl ocsp -issuer /etc/radiator/cert/roaming-eduPKI-CA.crt -cert
    /etc/radiator/cert/hostname-eduPKI.pem -CAfile
      /etc/radiator/cert/roaming-eduPKI-CA.crt -url
    http://ocsp.edupki.org/OCSP-Server/OCSP
    <http://ocsp.edupki.org/OCSP-Server/OCSP>

    The URL is obviously retrieved from the certificate, but it appears
    there's something missing when Radiator tries to do an OCSP verify.

    Thoughts?

    With kind regards

    Stefan


_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator

--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator