All freeradius eap-tls authentications fail when an SSL revocation list is enabled
-
there wont be... Pull out what gets added and look in what is in the CRL... you can do that with the cmd I posted above.
This works fine for me with either blank crl or crl with different cert revoked - my client that is not listed the crl. When i get home tonight I will revoke my client so that it blocks it... Then remove it from the crl, etc..
if your crl is getting added, your going to have to look to see what is in there - maybe your blocking your clients cert? Once I got the crl to be added to the ca pem, I have not been able to duplicate your problem.
-
I decoded the CRL and found 17 revoked certs, exactly the number of certs in the CRL displayed in the GUI, none of them were the serial of my cert. I added my cert in and see that it's added the CRL. Then I removed it and restarted freeradius. My cert was still in the revoked list in ca_cert.pem. So I changed the setting to none and back, this removed my cert from ca_cert.pem. In spite of this I still can't logon with my cert unless the CRL is set to none.
-
Are you actually restarting freerad when you change the certs listed in your crl?
I can not duplicate this
Nov 3 06:02:04 radiusd 29895 (7) Login OK: [j-iphone] (from client uap-pro port 0 cli D0-C5-F3-1F-EB-FF) 192.168.2.2 Nov 3 06:08:08 radiusd 78645 (27) Login incorrect (Failed retrieving values required to evaluate condition): [j-iphone/<via Auth-Type = eap>] (from client uap-pro port 0 cli D0-C5-F3-1F-EB-FF) 192.168.2.2 Nov 3 06:12:49 radiusd 95969 (7) Login OK: [j-iphone] (from client uap-pro port 0 cli D0-C5-F3-1F-EB-FF) 192.168.2.2
Not in the CRL... login fine, put client in the CRL - blocked!! Pull his cert out of CRL fine..
-
@smacdoug why don't u remove all the certs involving freeradius and remove freeradius, reboot pfsense, and then install freeradius again. It will generate new default certs that you can use or remove and create your own certs.
-
I'm restarting the freeradius server using the Status-Services and clicking on the restart icon for radiusd.
In terms of deleting all my certs ans rebuilding from scratch, I'd prefer not if I can avoid it. Freeradius is authenticating all my WiFi users. They're all working fine as long as I don't enable a CRL. Creating all new certs to distribute to all my clients is something I'd prefer not to do.
-
And your seeing it restart in the log?
I have tried to duplicate this.. Other than the problems I had with it not adding the CRL at all, which fixed once I put in a cert.. I am not having any issues with this..
Maybe if you run it in debug mode you can get more info to figure out where the problem is.
-
Ok. When I do that I see this in the log which looks relevant:
eap_tls: ERROR: SSL says error 12 : CRL has expired
Since this is a new CRL I'm not sure why it thinks it's expired already. If I run your openssl command I see this:
Last Update: Oct 30 14:47:34 2018 GMT
Next Update: Feb 8 08:19:18 2010 GMTWhich doesn't seem to make sense.
-
No sure doesn't so yeah that would explain the issue..
Just create a new one.. How many days are you putting in for lifetime... Are you importing or creating?
-
Is this on ARM or amd64?
Maybe it's hitting a 32-bit rollover in UNIX timestamps at 2038.
-
It's ARM (Netgate SG-3100)
If I change the default lifetime from 9999 to 3650, I get a correct expiry of 10 years in the future, if I double that to 7300, I get September 2002.
If I leave it at 10 years, the my radius authentications work.
Us this rollover something that can be addressed in a pfsense update?
-
I have a sg3100... Let me give it a try.
-
I can look into adjusting the defaults on ARM, or for everyone: https://redmine.pfsense.org/issues/9098
Curious that it didn't happen on 2.4.3, but we did change to a pure PHP CRL library on 2.4.4. We had been using a PHP openssl module patch before.
-
Yeah that is odd - good catch though! Took us long enough ;) hehe But found the problem finally..
Yup just validated on my 3100 does the same thing... But doesn't do it on my sg4860.
-
Thanks for all the help pointing me in the right direction. I'll keep my list at 10 years for now.