The cert "bootstrap" code now checks certs for validity

Otherwise, the server can load expired certificates.  The clients will
refuse to connect, via the usual "access-challenge followed by nothing"
issue.  A better approach is for the server to print an error message
on startup, and refuse to run.

diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
index e76eb22f48bf256773ee58826f6f570f59993425..30fcccef8817b5be9d24be1d773d53264329ad68 100644 (file)
--- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile
@@ -36,7 +36,7 @@ client: client.pem
 ca: ca.der
 
 .PHONY: server
-server: server.pem
+server: server.pem server.vrfy
 
 ######################################################################
 #

diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index f76a84f9bf2100335795a1c6764ffd7698267568..e70b506b5c7c3e3105e568d6a4c6334683f2e764 100755 (executable)
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -66,6 +66,7 @@ fi
 
 if [ ! -f server.pem ]; then
   openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
+  openssl verify -CAfile ca.pem server.pem || exit 1
 fi
 
 if [ ! -f ca.der ]; then

diff --git a/raddb/eap.conf b/raddb/eap.conf
index 998b1b50b7216c813d047229532677546cc73f94..941ebe9b89744e9095799cea54e207ae61151fa2 100644 (file)
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -266,10 +266,20 @@
 
                        #
 
-                       #  This configuration entry should be deleted
-                       #  once the server is running in a normal
-                       #  configuration.  It is here ONLY to make
-                       #  initial deployments easier.
+                       # This command creates the initial "snake oil"
+                       # certificates when the server is run as root,
+                       # and via "radiusd -X".
+                       #
+                       # As of 2.1.11, it *also* checks the server
+                       # certificate for validity, including expiration.
+                       # This means that radiusd will refuse to start
+                       # when the certificate has expired.  The alternative
+                       # is to have the 802.1X clients refuse to connect
+                       # when they discover the certificate has expired.
+                       #
+                       # Debugging client issues is hard, so it's better
+                       # for the server to print out an error message,
+                       # and refuse to start.
                        #
                        make_cert_command = "${certdir}/bootstrap"
 
@@ -543,13 +553,13 @@
                        # see doc/SoH.txt for more info.
                        # It is disabled by default.
                        #
-               #       soh = yes
+#                      soh = yes
 
                        #
                        # The SoH reply will be turned into a request which
                        # can be sent to a specific virtual server:
                        #
-               #       soh_virtual_server = "soh-server"
+#                      soh_virtual_server = "soh-server"
                }
 
                #