From 0cb868b4a840307218f86a4ebff0c9b9c20d837b Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Sat, 23 Oct 2010 08:57:58 +0200
Subject: [PATCH] The cert "bootstrap" code now checks certs for validity

Otherwise, the server can load expired certificates.  The clients will
refuse to connect, via the usual "access-challenge followed by nothing"
issue.  A better approach is for the server to print an error message
on startup, and refuse to run.
---
 raddb/certs/Makefile  |  2 +-
 raddb/certs/bootstrap |  1 +
 raddb/eap.conf        | 22 ++++++++++++++++------
 3 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
index b0e2973..5a91002 100644
--- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile
@@ -36,7 +36,7 @@ client: client.pem
 ca: ca.der
 
 .PHONY: server
-server: server.pem
+server: server.pem server.vrfy
 
 ######################################################################
 #
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index f76a84f..e70b506 100755
--- a/raddb/certs/bootstrap
+++ b/raddb/certs/bootstrap
@@ -66,6 +66,7 @@ fi
 
 if [ ! -f server.pem ]; then
   openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
+  openssl verify -CAfile ca.pem server.pem || exit 1
 fi
 
 if [ ! -f ca.der ]; then
diff --git a/raddb/eap.conf b/raddb/eap.conf
index 998b1b5..941ebe9 100644
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -266,10 +266,20 @@
 
 			#
 
-			#  This configuration entry should be deleted
-			#  once the server is running in a normal
-			#  configuration.  It is here ONLY to make
-			#  initial deployments easier.
+			# This command creates the initial "snake oil"
+			# certificates when the server is run as root,
+			# and via "radiusd -X".
+			#
+			# As of 2.1.11, it *also* checks the server
+			# certificate for validity, including expiration.
+			# This means that radiusd will refuse to start
+			# when the certificate has expired.  The alternative
+			# is to have the 802.1X clients refuse to connect
+			# when they discover the certificate has expired.
+			#
+			# Debugging client issues is hard, so it's better
+			# for the server to print out an error message,
+			# and refuse to start.
 			#
 			make_cert_command = "${certdir}/bootstrap"
 
@@ -543,13 +553,13 @@
 			# see doc/SoH.txt for more info.
 			# It is disabled by default.
 			#
-		#	soh = yes
+#			soh = yes
 
 			#
 			# The SoH reply will be turned into a request which
 			# can be sent to a specific virtual server:
 			#
-		#	soh_virtual_server = "soh-server"
+#			soh_virtual_server = "soh-server"
 		}
 
 		#
-- 
2.1.4