Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    All freeradius eap-tls authentications fail when an SSL revocation list is enabled

    Scheduled Pinned Locked Moved
    pfSense Packages
    4
    34
    2.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      smacdoug
      last edited by

      I'm restarting the freeradius server using the Status-Services and clicking on the restart icon for radiusd.

      In terms of deleting all my certs ans rebuilding from scratch, I'd prefer not if I can avoid it. Freeradius is authenticating all my WiFi users. They're all working fine as long as I don't enable a CRL. Creating all new certs to distribute to all my clients is something I'd prefer not to do.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        And your seeing it restart in the log?

        I have tried to duplicate this.. Other than the problems I had with it not adding the CRL at all, which fixed once I put in a cert.. I am not having any issues with this..

        Maybe if you run it in debug mode you can get more info to figure out where the problem is.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        1 Reply Last reply Reply Quote 0
        • S
          smacdoug
          last edited by

          Ok. When I do that I see this in the log which looks relevant:

          eap_tls: ERROR: SSL says error 12 : CRL has expired

          Since this is a new CRL I'm not sure why it thinks it's expired already. If I run your openssl command I see this:

          Last Update: Oct 30 14:47:34 2018 GMT
          Next Update: Feb 8 08:19:18 2010 GMT

          Which doesn't seem to make sense.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            No sure doesn't so yeah that would explain the issue..

            Just create a new one.. How many days are you putting in for lifetime... Are you importing or creating?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.03 | Lab VMs 2.7.2, 24.03

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Is this on ARM or amd64?

              Maybe it's hitting a 32-bit rollover in UNIX timestamps at 2038.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • S
                smacdoug
                last edited by

                It's ARM (Netgate SG-3100)

                If I change the default lifetime from 9999 to 3650, I get a correct expiry of 10 years in the future, if I double that to 7300, I get September 2002.

                If I leave it at 10 years, the my radius authentications work.

                Us this rollover something that can be addressed in a pfsense update?

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  I have a sg3100... Let me give it a try.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    I can look into adjusting the defaults on ARM, or for everyone: https://redmine.pfsense.org/issues/9098

                    Curious that it didn't happen on 2.4.3, but we did change to a pure PHP CRL library on 2.4.4. We had been using a PHP openssl module patch before.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Yeah that is odd - good catch though! Took us long enough ;) hehe But found the problem finally..

                      Yup just validated on my 3100 does the same thing... But doesn't do it on my sg4860.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                      1 Reply Last reply Reply Quote 0
                      • S
                        smacdoug
                        last edited by

                        Thanks for all the help pointing me in the right direction. I'll keep my list at 10 years for now.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post