OCSP (Online Certificate Status Protocol) is a method for checking certificates' revocation status online and is used as an alternative for CRL (Certificate Revocation List) files. Whereas CRL files needs to be updated every now and then, OCSP uses queries sent to CA (Certificate Authority) to obtain the latest revocation status.
Radiator uses OCSP to query and verify that EAP supplicant's or RadSec peer's certificate has not been revoked and can provide OCSP staple to EAP supplicants and RadSec peers to verify that Radiator's own certificate has not been revoked. More info about OCSP and OCSP staple can be found from the references at the end.
In order to use OCSP with Radiator, following conditions needs to be met:
- Radiator version 4.20 or later
- X.509 certificates and CA used support OCSP
- OpenSSL library version 1.0.0 or later
- Perl Net::SSLeay library version 1.83 or later
- Perl LWP::UserAgent library
- (Optional) Perl HTTP::Async library for asynchronous OCSP queries (supported only with EAP-TLS)
In this blog post, we show two configuration examples how to enable and test OCSP support.
We use demo certificates bundled with Radiator which do support OCSP.
You can check whether your X.509 certificate contains OCSP URL with the commands shown below.
Test client certificate:
Test server certificate:
For testing OCSP, we run OCSP responder provided by OpenSSL library.
Normally, CA who has signed the certificates runs OCSP responder on the Internet.
OCSP responder is run with a command shown below (pass phrase for all demo certificates is "whatever"):
Leave OCSP responder running on http://127.0.0.1:8008/ and waiting for OCSP queries from Radiator.
EAP-TLS OCSP configuration example
Radiator configuration which enables OCSP queries and OCSP stapling for EAP-TLS (there is a similar example config in goodies/eap_tls.cfg):
wpa_supplicant / eapol_test configuration for EAP-TLS which requires OCSP staple:
RadSec OCSP configuration example
Besides TLS based EAP methods, OCSP can also be used with RadSec peerings, either with or without OCSP stapling.
Radiator configuration for RadSec client enables OCSP stapling (there is a similar example config in goodies/radsec-client.cfg):
Radiator configuration for RadSec server which enables OCSP queries and OCSP stapling (there is a similar example config in goodies/radsec-server.cfg):
Radiator acting as RadSec client (AuthBy RADSEC) will connect to Radiator acting as RadSec server (ServerRADSEC) and will request OCSP staple to be returned during TLS handshake. Server will get OCSP response for its own certificate and return it as OCSP staple to the client and when the client has sent its certificate, the server will query its revocation status with OCSP before accepting it.