OCSP Response Signed by other CA

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

OCSP Response Signed by other CA

Mike DiBella
I'm attempting to add OCSP certificate verification to EAP, but my responder hosts multiple CAs and signs the responses with a cert common to all.   I think freeradius is assuming that the signer of the OCSP response will be the same as the signer of the client certificate, and I can't see an option to override this behavior.   I've already tried concatenating the OCSP signer to the client trust certificate file, but freeradius still fails validation with "Error: rlm_eap: SSL error error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted".   Any ideas?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: OCSP Response Signed by other CA

Mike DiBella
In testing my OCSP responder configuration I've found that the following openssl command:

openssl ocsp -issuer client_cer_root.cer -cert client.cer -VAfile ocsp_signer.cer -url http://ocsp.responder.net/ocsp

returns:

Response verify OK
client.cer: good
        This Update: Oct 31 11:43:47 2019 GMT
        Next Update: Nov  2 00:03:47 2019 GMT

I see that there is a client keyword in the verify section of the eap configuration file.   I'm wondering if I can I substitute this command for the default openssl verify command prototyped in the file?

In my testing, it looks like openssl returns exit 0 for both verified and responder errors, so I'm wondering how freeradius parses the result of the command.

From: Mike DiBella
Sent: Wednesday, October 30, 2019 3:08 PM
To: '[hidden email]' <[hidden email]>
Subject: OCSP Response Signed by other CA

I'm attempting to add OCSP certificate verification to EAP, but my responder hosts multiple CAs and signs the responses with a cert common to all.   I think freeradius is assuming that the signer of the OCSP response will be the same as the signer of the client certificate, and I can't see an option to override this behavior.   I've already tried concatenating the OCSP signer to the client trust certificate file, but freeradius still fails validation with "Error: rlm_eap: SSL error error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted".   Any ideas?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: OCSP Response Signed by other CA

Alan DeKok-2


> On Oct 31, 2019, at 2:09 PM, Mike DiBella <[hidden email]> wrote:
>
> In testing my OCSP responder configuration I've found that the following openssl command:
>
> openssl ocsp -issuer client_cer_root.cer -cert client.cer -VAfile ocsp_signer.cer -url http://ocsp.responder.net/ocsp
>
> returns:
>
> Response verify OK
> client.cer: good
>        This Update: Oct 31 11:43:47 2019 GMT
>        Next Update: Nov  2 00:03:47 2019 GMT
>
> I see that there is a client keyword in the verify section of the eap configuration file.   I'm wondering if I can I substitute this command for the default openssl verify command prototyped in the file?

  Yes, that should mostly work.  You should use %{TLS-Client-Cert-Filename} instead of a hard-coded filename though.  The server will write the client certificate to a temporary file, and then clean it up after OSCP tests are done.

> In my testing, it looks like openssl returns exit 0 for both verified and responder errors, so I'm wondering how freeradius parses the result of the command.

  FreeRADIUS looks for the command to succeed / fail.  If the OSCP responder is down, OpenSSL may do various magic.  :(

  The solution is to ensure that critical pieces of infrastructure stay up.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html