tls/verify: implement allow_not_yet_valid_crl (#4181)

author Youfu Zhang <1315097+zhangyoufu@users.noreply.github.com>

Thu, 21 Oct 2021 14:13:32 +0000 (22:13 +0800)

committer GitHub <noreply@github.com>

Thu, 21 Oct 2021 14:13:32 +0000 (10:13 -0400)
author Youfu Zhang <1315097+zhangyoufu@users.noreply.github.com>
Thu, 21 Oct 2021 14:13:32 +0000 (22:13 +0800)
committer GitHub <noreply@github.com>
Thu, 21 Oct 2021 14:13:32 +0000 (10:13 -0400)
diff --git a/doc/antora/modules/raddb/pages/mods-available/eap.adoc b/doc/antora/modules/raddb/pages/mods-available/eap.adoc

index 4ce6f856d277a4f3233fe820127dc011807b7e8d..4888d809d6ef77cc99d61e976e3b73cf185e7b5b 100644 (file)
--- a/doc/antora/modules/raddb/pages/mods-available/eap.adoc
+++ b/doc/antora/modules/raddb/pages/mods-available/eap.adoc
@@ -617,6 +617,11 @@ Will check CRLs for all certificates in the certificate chain.
  allow_expired_crl:: Accept an expired Certificate Revocation List.
  
  
+
+allow_not_yet_valid_crl:: Accept a not-yet-valid Certificate Revocation List.
+
+
+
  ### TLS Session resumption
  
  Once authentication has completed the TLS client may be
@@ -1345,6 +1350,7 @@ eap {
  #                      attribute_mode = client-and-issuer
  #                      check_crl = yes
  #                      allow_expired_crl = no
+#                      allow_not_yet_valid_crl = no
                 }
                 cache {
  #                      mode = auto
diff --git a/doc/antora/modules/raddb/pages/mods-available/eap_inner.adoc b/doc/antora/modules/raddb/pages/mods-available/eap_inner.adoc

index bb8c7122d8cf6178b00c9d073eb472c0e7e62d9e..c42a589fef16c3541a56deffc760dee91e0e749d 100644 (file)
--- a/doc/antora/modules/raddb/pages/mods-available/eap_inner.adoc
+++ b/doc/antora/modules/raddb/pages/mods-available/eap_inner.adoc
@@ -111,6 +111,10 @@ allow_expired_crl:: See the `eap` module for common configuration explanation.
  
  
  
+allow_not_yet_valid_crl:: See the `eap` module for common configuration explanation.
+
+
+
  ## tls { ... }
  
  You SHOULD use different certificates than are used
@@ -161,6 +165,7 @@ eap inner-eap {
  #              check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
  #              check_cert_cn = %{User-Name}
  #              allow_expired_crl = no
+#              allow_not_yet_valid_crl = no
         }
         tls {
                 tls = tls-peer
diff --git a/doc/antora/modules/raddb/pages/sites-available/tls.adoc b/doc/antora/modules/raddb/pages/sites-available/tls.adoc

index 179ffa5fbab0715115e7d28edb23596ff80f6b3a..a8a4602e666c442d66876b7e7497755ce298874c 100644 (file)
--- a/doc/antora/modules/raddb/pages/sites-available/tls.adoc
+++ b/doc/antora/modules/raddb/pages/sites-available/tls.adoc
@@ -111,6 +111,10 @@ Accept an expired Certificate Revocation List
  
  allow_expired_crl = no
  
+Accept a not-yet-valid Certificate Revocation List
+
+allow_not_yet_valid_crl = no
+
  
  If check_cert_issuer is set, the value will
  be checked against the DN of the issuer in
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap

index ba3538497b6359e66feda5b2d0b0562b95901bd5..b40f5f8538145c13b7d74bcd2f5fdfd61bb35366 100644 (file)
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -695,6 +695,11 @@ eap {
                         #  allow_expired_crl:: Accept an expired Certificate Revocation List.
                         #
  #                      allow_expired_crl = no
+
+                       #
+                       #  allow_not_yet_valid_crl:: Accept a not-yet-valid Certificate Revocation List.
+                       #
+#                      allow_not_yet_valid_crl = no
                 }
                 #
                 #  ### TLS Session resumption
diff --git a/raddb/mods-available/eap_inner b/raddb/mods-available/eap_inner

index aeb40682b4ab850edaff29f39c42d2ca9c94fa1d..f604c117d5eccbad51c3fcc55476092dee1c091f 100644 (file)
--- a/raddb/mods-available/eap_inner
+++ b/raddb/mods-available/eap_inner
@@ -144,6 +144,11 @@ eap inner-eap {
                 #  allow_expired_crl:: See the `eap` module for common configuration explanation.
                 #
  #              allow_expired_crl = no
+
+               #
+               #  allow_not_yet_valid_crl:: See the `eap` module for common configuration explanation.
+               #
+#              allow_not_yet_valid_crl = no
         }
  
         #
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls

index 003a7f5849a71a03d74b629095ec5472aa5a9703..3e519c8dc61c0c53583305188f6793474d5dcc53 100644 (file)
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -133,6 +133,10 @@ server radsec {
                         #
                 #       allow_expired_crl = no
  
+                       #  Accept a not-yet-valid Certificate Revocation List
+                       #
+               #       allow_not_yet_valid_crl = no
+
                         #
                         #  If check_cert_issuer is set, the value will
                         #  be checked against the DN of the issuer in
diff --git a/src/lib/tls/conf-h b/src/lib/tls/conf-h

index a1176c2c6be1783739af16b82de798330e334336..f52a32b6540e1cab8f2e4daf5ef62d54dbcdf55b 100644 (file)
--- a/src/lib/tls/conf-h
+++ b/src/lib/tls/conf-h
@@ -122,6 +122,7 @@ typedef struct {
  
         bool            check_crl;                      //!< Check certificate revocation lists.
         bool            allow_expired_crl;              //!< Don't error out if CRL is expired.
+       bool            allow_not_yet_valid_crl;        //!< Don't error out if CRL is not-yet-valid.
  } fr_tls_verify_conf_t;
  
  /* configured values goes right here */
diff --git a/src/lib/tls/conf.c b/src/lib/tls/conf.c

index 56c3cf093c5d90d00b0a83e1920185c95ebe5832..c78a05168347b22f7b4977edf0124cc2e58c5978 100644 (file)
--- a/src/lib/tls/conf.c
+++ b/src/lib/tls/conf.c
@@ -146,6 +146,7 @@ static CONF_PARSER tls_verify_config[] = {
                          .dflt = "client-and-issuer" },
         { FR_CONF_OFFSET("check_crl", FR_TYPE_BOOL, fr_tls_verify_conf_t, check_crl), .dflt = "no" },
         { FR_CONF_OFFSET("allow_expired_crl", FR_TYPE_BOOL, fr_tls_verify_conf_t, allow_expired_crl) },
+       { FR_CONF_OFFSET("allow_not_yet_valid_crl", FR_TYPE_BOOL, fr_tls_verify_conf_t, allow_not_yet_valid_crl) },
         CONF_PARSER_TERMINATOR
  };
  
diff --git a/src/lib/tls/verify.c b/src/lib/tls/verify.c

index 55174b0698bd2705712812e569604d7a0554ee6a..e37f3d379e96107ff191c32d4155de599b960c9a 100644 (file)
--- a/src/lib/tls/verify.c
+++ b/src/lib/tls/verify.c
@@ -196,7 +196,8 @@ int fr_tls_verify_cert_cb(int ok, X509_STORE_CTX *x509_ctx)
         if (!my_ok) {
                 char const *p = X509_verify_cert_error_string(err);
                 if (!verify_applies(conf->verify.mode, depth, untrusted) ||
-                   ((conf->verify.allow_expired_crl) && (err == X509_V_ERR_CRL_HAS_EXPIRED))) {
+                   ((conf->verify.allow_expired_crl) && (err == X509_V_ERR_CRL_HAS_EXPIRED)) ||
+                   ((conf->verify.allow_not_yet_valid_crl) && (err == X509_V_ERR_CRL_NOT_YET_VALID))) {
                         RDEBUG2("Ignoring verification error - %s (%i)", p, err);
                         tls_verify_error_detail(request, ssl_ctx, err);
author	Youfu Zhang <1315097+zhangyoufu@users.noreply.github.com>
	Thu, 21 Oct 2021 14:13:32 +0000 (22:13 +0800)
committer	GitHub <noreply@github.com>
	Thu, 21 Oct 2021 14:13:32 +0000 (10:13 -0400)
doc/antora/modules/raddb/pages/mods-available/eap.adoc		patch \| blob \| blame \| history
doc/antora/modules/raddb/pages/mods-available/eap_inner.adoc		patch \| blob \| blame \| history
doc/antora/modules/raddb/pages/sites-available/tls.adoc		patch \| blob \| blame \| history
raddb/mods-available/eap		patch \| blob \| blame \| history
raddb/mods-available/eap_inner		patch \| blob \| blame \| history
raddb/sites-available/tls		patch \| blob \| blame \| history
src/lib/tls/conf-h		patch \| blob \| blame \| history
src/lib/tls/conf.c		patch \| blob \| blame \| history
src/lib/tls/verify.c		patch \| blob \| blame \| history