From 5fedd50c4af05164a146dfa7be9b9bd99eb6343b Mon Sep 17 00:00:00 2001 From: Matthew Newton Date: Mon, 16 Jan 2012 17:07:28 +0000 Subject: [PATCH] Add OCSP softfail option Normally, failure to get an OCSP response (rather than failure to validate) will reject the client. This allows that type of failure to still succeed. --- raddb/eap.conf | 16 +++++++++++++ .../rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c | 23 +++++++++++++++++-- .../rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h | 1 + 3 files changed, 38 insertions(+), 2 deletions(-) diff --git a/raddb/eap.conf b/raddb/eap.conf index 5bf4ed2d0a0..087f7f7361f 100644 --- a/raddb/eap.conf +++ b/raddb/eap.conf @@ -447,6 +447,22 @@ # for OCSP response. 0 uses system default. # # timeout = 0 + + # + # Normally an error in querying the OCSP + # responder (no response from server, server did + # not understand the request, etc) will result in + # a validation failure. + # + # To treat these errors as 'soft' failures and + # still accept the certificate, enable this + # option. + # + # Warning: this may enable clients with revoked + # certificates to connect if the OCSP responder + # is not available. Use with caution. + # + # softfail = no } } diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c index 68acde6aac8..f273eae75fd 100644 --- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c +++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c @@ -81,6 +81,8 @@ static CONF_PARSER ocsp_config[] = { offsetof(EAP_TLS_CONF, ocsp_use_nonce), NULL, "yes"}, { "timeout", PW_TYPE_INTEGER, offsetof(EAP_TLS_CONF, ocsp_timeout), NULL, "0" }, + { "softfail", PW_TYPE_BOOLEAN, + offsetof(EAP_TLS_CONF, ocsp_softfail), NULL, "no"}, { NULL, -1, 0, NULL, NULL } /* end the list */ }; #endif @@ -351,12 +353,14 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert, rc = BIO_do_connect(cbio); if ((rc <= 0) && ((!conf->ocsp_timeout) || !BIO_should_retry(cbio))) { radlog(L_ERR, "Error: Couldn't connect to OCSP responder"); + ocsp_ok = 2; goto ocsp_end; } ctx = OCSP_sendreq_new(cbio, path, req, -1); if (!ctx) { radlog(L_ERR, "Error: Couldn't send OCSP request"); + ocsp_ok = 2; goto ocsp_end; } @@ -374,6 +378,7 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert, if (conf->ocsp_timeout && (rc == -1) && BIO_should_retry(cbio)) { radlog(L_ERR, "Error: OCSP response timed out"); + ocsp_ok = 2; goto ocsp_end; } @@ -381,6 +386,7 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert, if (rc == 0) { radlog(L_ERR, "Error: Couldn't get OCSP response"); + ocsp_ok = 2; goto ocsp_end; } @@ -446,10 +452,23 @@ ocsp_end: BIO_free_all(cbio); OCSP_BASICRESP_free(bresp); - if (ocsp_ok) { + switch (ocsp_ok) { + case 1: DEBUG2("[ocsp] --> Certificate is valid!"); - } else { + break; + case 2: + if (conf->ocsp_softfail) { + DEBUG2("[ocsp] --> Unable to check certificate; assuming valid."); + DEBUG2("[ocsp] --> Warning! This may be insecure."); + ocsp_ok = 1; + } else { + DEBUG2("[ocsp] --> Unable to check certificate; failing!"); + ocsp_ok = 0; + } + break; + default: DEBUG2("[ocsp] --> Certificate has been expired/revoked!"); + break; } return ocsp_ok; diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h index 8376adf0705..34c917f8549 100644 --- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h +++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h @@ -80,6 +80,7 @@ typedef struct eap_tls_conf { char *ocsp_url; int ocsp_use_nonce; int ocsp_timeout; + int ocsp_softfail; #endif #if OPENSSL_VERSION_NUMBER >= 0x0090800fL -- 2.47.3