Re: Freeradius v3.0.19 prioritize OCSP in checking client certificate rather than crl.
On Sep 3, 2019, at 11:11 PM, Dennis Diamsay <[hidden email]> wrote:
> Using Freeradius to authenticate client certificate using EAP, I noticed that CRL checking is prioritized than OCSP.
> If check_crl is disable in the eap configuration, that is the only time the OCSP checking will take place.
> Can someone help me on how to configure freeradius to prioritize OCSP in checking client certificate?
Change the source. See src/main/tls.c, and the function cbtls_verify()
The main issue is that CRL checking is done in OpenSSL *before* that function is called. So we can't really control the order of operations.