3.8.20. EAPTLS_CRLFile Previous topic Parent topic Child topic Next topic

For TLS-based EAP types, such as TLS, TTLS, and PEAP, and where CRL checking has been enabled with EAPTLS_CRLCheck, this optional parameter specifies one or more CRL files that are used to check client certificates for revocation. These files are also used when EAPTLS_CRLCheckAll is enabled.
If a CRL file is not found, or if the CRL says the certificate has been revoked, TLS authentication will fail with an error:
SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
One or more CRLs can be named with the EAPTLS_CRLFile parameter. Alternatively, CRLs may follow a file naming convention: the hash of the issuer Subject Name and a suffix that depends on the serial number, for example ab1331b2.r0 or ab1331b2.r1.
You can find out the hash of the issuer name in a CRL with:
openssl crl -in crl.pem -hash -noout
CRLs with this name convention will be searched in EAPTLS_CAPath, else in the openssl certificates directory (typically /usr/local/openssl/certs/).
CRLs are expected to be in PEM format. A CRL file can be generated with openssl like this:
openssl ca -gencrl -revoke cert-clt.pem
openssl ca -gencrl -out crl.pem
Use of these flags requires Net_SSLeay-1.30 or later.
CRL reloading does not currently work as described with the recent OpenSSL libraries. To ensure the CRL files are correctly used, you may need to restart Radiator when the CRL files change.
The intended way CRL reloading, see the note above, works is this: Each CRL file named with a EAPTLS_CRLFile will be automatically reloaded and reread at the start of each new EAP TLS, TTLS or PEAP session if the modification date of the named CRL file has changed since the last time it was loaded. If the CRL for a particular issuer changes, it is sufficient to replace the existing CRL file with the newer version and Radiator will reload the new CRL when required.
Operating system wildcards are supported, so you can name multiple CRLs with a single wildcard like:
EAPTLS_CRLFile %D/crls/*.r0
Do not use the issuer name hash as the CRL file name: it can confuse OpenSSL. Use a text name like:
EAPTLS_CRLFile revocations.pem
Special characters are supported.