Freeradius v3.0.19 prioritize OCSP in checking client certificate rather than crl.

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Freeradius v3.0.19 prioritize OCSP in checking client certificate rather than crl.

Dennis Diamsay
Hi Community,

Using Freeradius to authenticate client certificate using EAP, I noticed that CRL checking is prioritized than OCSP.

If check_crl is disable in the eap configuration, that is the only time the OCSP checking will take place.

Can someone help me on how to configure freeradius to prioritize OCSP in checking client certificate?

Thank you in advance.

My test case are:

1. Client certificate verification using OCSP

2. If OCSP is OFFLINE, client certificate verification using CRL.

3. if OCSP goes back ONLINE, client certificate verification using OCSP.


Dennis Diamsay
[hidden email]




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius v3.0.19 prioritize OCSP in checking client certificate rather than crl.

Alan DeKok-2
On Sep 3, 2019, at 11:11 PM, Dennis Diamsay <[hidden email]> wrote:
> Using Freeradius to authenticate client certificate using EAP, I noticed that CRL checking is prioritized than OCSP.
>
> If check_crl is disable in the eap configuration, that is the only time the OCSP checking will take place.
>
> Can someone help me on how to configure freeradius to prioritize OCSP in checking client certificate?

  Change the source.  See src/main/tls.c, and the function cbtls_verify()

  The main issue is that CRL checking is done in OpenSSL *before* that function is called.  So we can't really control the order of operations.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html