Re: [RADIATOR] CRL reload question

Wed, 30 Oct 2013 14:21:42 -0700 

On 10/30/2013 10:39 PM, Markus Moeller wrote:

>  I have linked it statically to avoid mixup with system libraries. There
> is no way to check it in another way is there ?

If you have Net::SSLeay newer than 1.42, try putting this in Radiator
configuration:

StartupHook sub { use Net::SSLeay; main::log($main::LOG_INFO, \
                  "SSL version: " . \
                  sprintf("0x%x", Net::SSLeay::SSLeay())); }

You should find something like this from Radiator logs:

   INFO: SSL version: 0x1000100f

See this for more info:
http://search.cpan.org/~mikem/Net-SSLeay-1.55/lib/Net/SSLeay.pod#Low_level_API:_Version_related_functions

Thanks,
Heikki


> Markus
> 
> -----Original Message----- From: Heikki Vatiainen
> Sent: Wednesday, October 30, 2013 5:11 PM
> To: Markus Moeller ; [email protected]
> Subject: Re: [RADIATOR] CRL reload question
> 
> On 10/29/2013 12:41 AM, Markus Moeller wrote:
> 
>>   I still get the same error with openssl 1.0.1. The CRL on disk is new,
>> but radiator says CRL is expired. Radiator also gives a reload CRL error
>> saying the CRL alredy exists.
> 
> Hello Markus,
> 
> can you do one more test? Check with 'ldd
> /path/to/auto/Net/SSLeay/SSLeay.so' that it links against the OpenSSL
> libs you expect it to.
> 
> Thanks,
> Heikki
> 
>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_1.pem'
>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_1.pem': error:0B07D065:x509
>> certificate routines:X509_STORE_add_crl:cert already in hash table
>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_2.pem'
>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_2.pem': error:0B07D065:x509
>> certificate routines:X509_STORE_add_crl:cert already in hash table
>> Mon Oct 28 22:15:22 2013: DEBUG: (Re)loading CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_4.pem'
>> Mon Oct 28 22:15:22 2013: ERR: Failed to add CRL file
>> '/opt/radiator/etc/certs/crls/User_CA_4.pem': error:0B07D065:x509
>> certificate routines:X509_STORE_add_crl:cert already in hash table
>> Mon Oct 28 22:20:52 2013: INFO: EAP TLS certificate verification failed:
>> CRL has expired,  19868: 1 - error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>> Mon Oct 28 22:21:23 2013: INFO: EAP TLS certificate verification failed:
>> CRL has expired,  19868: 1 - error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>
>> # ls -al User_CA_2.pem
>> -rwxrwxrwx   1 root     root       70699 Oct 28 21:55 User_CA_2.pem
>>
>> # /usr/sfw/bin/openssl crl -in User_CA_2.pem -noout -lastupdate
>> -nextupdate
>> lastUpdate=Oct 28 19:26:37 2013 GMT
>> nextUpdate=Nov 11 19:26:37 2013 GMT
>>
>>
>>
>> Markus
>>
>> -----Original Message----- From: Markus Moeller
>> Sent: Monday, September 30, 2013 10:50 PM
>> To: Heikki Vatiainen ; [email protected]
>> Subject: Re: [RADIATOR] CRL reload question
>>
>> Hi Heikki,
>>
>>   OK I'll try with a later 1.x version.
>>
>> Thank you
>> Markus
>>
>> -----Original Message----- From: Heikki Vatiainen
>> Sent: Monday, September 30, 2013 10:18 PM
>> To: [email protected]
>> Subject: Re: [RADIATOR] CRL reload question
>>
>> On 09/29/2013 04:52 PM, Markus Moeller wrote:
>>
>>>    I would  expect  something like this:
>>>
>>> If error "already in hashtable"
>>>
>>> $self->log($main::LOG_ERR, "Free old entray and add new CRL";
>>>
>>
>> Hello Markus,
>>
>> we have not looked at CRL reloading lately so I can not tell if the new
>> functions would help with CRL reloading. However, a quick look at
>> OpenSSL shows the CRL lookups in X509_STORE_add_crl are done differently
>> in 1.x versions than e.g., in 0.9.8x. Also, these changes between 0.9.x
>> and 1.0.0 look promising (OpenSSL changelog):
>>
>>  *) Allow multiple CRLs to exist in an X509_STORE with matching issuer
>> names.
>>     Modify get_crl() to find a valid (unexpired) CRL if possible.
>>     [Steve Henson]
>>
>>  *) New function X509_CRL_match() to check if two CRLs are identical.
>> Normally
>>     this would be called X509_CRL_cmp() but that name is already used by
>>     a function that just compares CRL issuer names. Cache several CRL
>>     extensions in X509_CRL structure and cache CRLDP in X509.
>>     [Steve Henson]
>>
>> If you plan to test this, can you see if you get different results with
>> OpenSSL 1.0.x versions than 0.9.8x?
>>
>> Thanks,
>> Heikki
>>
>>> loop over objects
>>> my $idx = 0 ?????
>>> for (i = $idx ; i< $cert_store->num; i++) {
>>>    my $obj -> $cert_store->data[i];
>>>    if (obj->data.crl == $crl->data.crl) {
>>>        &Net::SSLeay::X509_CRL_free($obj);
>>>        $obj = Net::SSLeay::X509_CRL_new();
>>>        $obj->data.crl = $crl;
>>>        $cert_store->data[i] = $obj;
>>>        break
>>>    }
>>> }
>>>
>>> in TLS.pm.  I  haven’t tried it yet as I haven’t got a dev setup ready,
>>> but wonder if that looks sensible.
>>
> 
> 


-- 
Heikki Vatiainen <[email protected]>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to