Hi Heikki, This is in the log (I'm running in DEBUG, if you need TRACE, please let me know):
599943: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamServer: New connection from [IP_ADDRESS] port 37591 602499: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Stream connected to [IP_ADDRESS] ([IP_ADDRESS] port 37591) 602877: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS sessionInit for [IP_ADDRESS] 604329: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS receive: 605208: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: before SSL initialization 605518: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: before SSL initialization 605824: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: before SSL initialization 606136: DEBUG: ServerRADSEC (EDUROAM_RADSEC) SSL_accept result: -1, reason/error: 'SSL_ERROR_WANT_READ', state: 'before SSL initialization' 606597: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS Server Started for [IP_ADDRESS] ([IP_ADDRESS] port 37591) 606885: DEBUG: ServerRADSEC (EDUROAM_RADSEC) New StreamServer Connection created for [IP_ADDRESS] port 37591 607573: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS receive: [...] 607870: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: before SSL initialization 608319: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS read client hello 608581: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write server hello 609117: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write certificate 626293: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write key exchange 626717: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write certificate request 626958: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write server done 627333: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write server done 627628: DEBUG: ServerRADSEC (EDUROAM_RADSEC) SSL_accept result: -1, reason/error: 'SSL_ERROR_WANT_READ', state: 'SSLv3/TLS write server done' 627994: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS send: [...] 636950: DEBUG: ServerRADSEC (EDUROAM_RADSEC) StreamTLS receive: [...] 637410: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: SSLv3/TLS write server done 638238: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Verifying certificate presented by peer [IP_ADDRESS] 638609: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Certificate Issuer Name is /DC=org/DC=edupki/CN=eduPKI CA G 01 638884: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Certificate Subject Name is [redacted] 639147: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Certificate Serial Number is [redacted] 639804: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS sending OCSP request to URI 'http://ocsp.edupki.org/OCSP-Server/OCSP' for certificate: 3045300906052b0e03021a05000414e0edac4bf41cfcbce33a156b554e92fac28f0c5c0414d2f223bd4aa17fcfa05884ebfce65b08b3cdb4e4020c2427658a363cc6c6452df2e2 034756: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS OCSP response received for certificate: 3045300906052b0e03021a05000414e0edac4bf41cfcbce33a156b554e92fac28f0c5c0414d2f223bd4aa17fcfa05884ebfce65b08b3cdb4e4020c2427658a363cc6c6452df2e2 036004: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS OCSP response verification '3045300906052b0e03021a05000414e0edac4bf41cfcbce33a156b554e92fac28f0c5c0414d2f223bd4aa17fcfa05884ebfce65b08b3cdb4e4020c2427658a363cc6c6452df2e2' failed: 0 036330: WARNING: ServerRADSEC (EDUROAM_RADSEC) Verifying OCSP response failed for Subject '[redacted]' presented by peer [IP_ADDRESS] 036681: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: error 036944: DEBUG: ServerRADSEC (EDUROAM_RADSEC) TLS state: error 037213: DEBUG: ServerRADSEC (EDUROAM_RADSEC) SSL_accept result: -1, reason/error: 'SSL_ERROR_SSL', state: 'error' 037592: ERR: ServerRADSEC (EDUROAM_RADSEC) SSL_accept Certificate verification error ([IP_ADDRESS] port 37591): verify error: application verification failure, error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error 00000000 error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed 037852: DEBUG: ServerRADSEC (EDUROAM_RADSEC) Stream disconnected from [IP_ADDRESS] ([IP_ADDRESS] port 37591) I've redacted the source IP and the subject. I look at the 'response verification' line (036004) where the result code is 0, which usually means it was successful. And yeah, like you say, you use APIs, and I considered whether adding the CA certificate into the trusted store on the machine would make a difference, but it doesn't appear so. Is there possibly an assumption within Net::SSLeay that if you don't specify a certificate somehow to verify the response with that the trusted store is used? :-/ I will note though that the response does not include a nonce (if the request contains one), although that's not a requirement... This is the case when I use 'openssl verify', so I assume the same applies to the API. Kind regards Stefan On Wed, 16 Aug 2023 at 10:02, Heikki Vatiainen via radiator < [email protected]> wrote: > On 15.8.2023 23.53, Stefan Paetow (OpenSource) via radiator wrote: > > > I suppose I should also provide the details I have in the Radiator > > configuration: > > > > Protocol tcp > > UseTLS > > TLS_Protocols TLSv1.2 > > Secret radsec > > TLS_CAFile %D/cert/roaming-eduPKI-CA.crt > > TLS_CertificateFile %D/cert/hostname-eduPKI.pem > > TLS_CertificateType PEM > > TLS_PrivateKeyFile %D/cert/hostname-key.pem > > TLS_PolicyOID [redacted] > > TLS_RequireClientCert > > TLS_Ciphers [redacted] > > TLS_OCSPCheck > > TLS_OCSPStapling > > # TLS_CRLCheck > > # TLS_CRLFile %D/cert/cacrl.pem > > > > I would have thought that the TLS_CAFile value would be used by -issuer > > and -CAfile. I suspect by the error message displayed, that the -CAfile > > value is not being supplied (and the CA assumed to be in the default CA > > directory)... > > Radiator uses OpenSSL APIs via Net::SSLeay for OCSP processing. It > doesn't call 'openssl ocsp ...' to do this. > > You'd need to have Perl LWP::UserAgent module installed for talking to > the OCSP responder (server), that's one external dependency that is > required. > > > As before, thoughts are much appreciated :-) > > If you send me the logs, I can take a further look. It should work even > with the latest OpenSSL 3.1.2, tested with the demo certificates that > come with Radiator, but it's hard to say much more without seeing the logs. > > Thanks, > Heikki > > > Stefan > > > > > > > > > > > > > > On Tue, 15 Aug 2023 at 21:32, Stefan Paetow (OpenSource) <[email protected] > > <mailto:[email protected]>> wrote: > > > > Hi there, > > > > So, I've tried to use OCSP validation with the certificates issued > > by eduPKI (so this covers the majority of eduroam national > > operators and some identity providers). Radiator didn't like it and > > kicked up failures. > > > > I then tried manually verifying and that succeeds, using this > > command-line: > > > > openssl ocsp -issuer /etc/radiator/cert/roaming-eduPKI-CA.crt -cert > > /etc/radiator/cert/hostname-eduPKI.pem -CAfile > > /etc/radiator/cert/roaming-eduPKI-CA.crt -url > > http://ocsp.edupki.org/OCSP-Server/OCSP > > <http://ocsp.edupki.org/OCSP-Server/OCSP> > > > > The URL is obviously retrieved from the certificate, but it appears > > there's something missing when Radiator tries to do an OCSP verify. > > > > Thoughts? > > > > With kind regards > > > > Stefan > > > > > > _______________________________________________ > > radiator mailing list > > [email protected] > > https://lists.open.com.au/mailman/listinfo/radiator > > -- > Heikki Vatiainen > OSC, makers of Radiator > Visit radiatorsoftware.com for Radiator AAA server software > _______________________________________________ > radiator mailing list > [email protected] > https://lists.open.com.au/mailman/listinfo/radiator
_______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
