# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash <CA certs&CRLs Directory>'.
# 'c_rehash' is OpenSSL's command.
- # 3) uncomment the line below.
+ # 3) uncomment the lines below.
# 5) Restart radiusd
# check_crl = yes
+
+ # Check if intermediate CAs have been revoked.
+ # check_all_crl = yes
+
CA_path = ${cadir}
#
offsetof(EAP_TLS_CONF, include_length), NULL, "yes" },
{ "check_crl", PW_TYPE_BOOLEAN,
offsetof(EAP_TLS_CONF, check_crl), NULL, "no"},
+ { "check_all_crl", PW_TYPE_BOOLEAN,
+ offsetof(EAP_TLS_CONF, check_all_crl), NULL, "no"},
{ "allow_expired_crl", PW_TYPE_BOOLEAN,
offsetof(EAP_TLS_CONF, allow_expired_crl), NULL, NULL},
{ "check_cert_cn", PW_TYPE_STRING_PTR,
if (conf->check_crl)
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
#endif
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
+ if (conf->check_all_crl)
+ X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
+#endif
return store;
}
#endif /* HAVE_OPENSSL_OCSP_H */
return NULL;
}
X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
+
+ if (conf->check_all_crl) {
+ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK_ALL);
+ }
}
#endif