diff options
author | Marcello Coutinho <marcellocoutinho@gmail.com> | 2013-04-19 17:38:17 -0300 |
---|---|---|
committer | Marcello Coutinho <marcellocoutinho@gmail.com> | 2013-04-19 17:38:17 -0300 |
commit | 3b7875ae2180e3fc7f7464b5d36300d05d1e9c49 (patch) | |
tree | 6352b4043c3ce9730d5d9d19795f6593b384f62e /config/freeradius2 | |
parent | e9bac1e88c8183d85c5ceaea6dc38a6fdae01bbd (diff) | |
download | pfsense-packages-3b7875ae2180e3fc7f7464b5d36300d05d1e9c49.tar.gz pfsense-packages-3b7875ae2180e3fc7f7464b5d36300d05d1e9c49.tar.bz2 pfsense-packages-3b7875ae2180e3fc7f7464b5d36300d05d1e9c49.zip |
freeradius2 - Include certificate revocation list (CRL) to EAP conf
Diffstat (limited to 'config/freeradius2')
-rw-r--r-- | config/freeradius2/freeradius.inc | 27 | ||||
-rw-r--r-- | config/freeradius2/freeradiuseapconf.xml | 14 |
2 files changed, 36 insertions, 5 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 38093780..84bc9f71 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -5,6 +5,7 @@ freeradius.inc part of pfSense (http://www.pfSense.com) Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Marcello Coutinho (revocation list code) All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -948,12 +949,18 @@ if ($eapconf['vareapconfchoosecertmanager'] == 'on') { if(base64_decode($ca_cert['crt'])) { + $crl_cert = lookup_crl($eapconf["ssl_ca_crl"]); + if ($crl_cert != false){ + $crl=base64_decode($crl_cert['txt']); + $check_crl="check_crl = yes"; + } + else{ + $check_crl="check_crl = no"; + } file_put_contents(FREERADIUS_BASE . "/etc/raddb/certs/ca_cert.pem", - base64_decode($ca_cert['crt'])); + base64_decode($ca_cert['crt']). $crl); $conf['ssl_ca_cert'] = FREERADIUS_BASE . "/etc/raddb/certs/ca_cert.pem"; } - - $svr_cert = lookup_cert($eapconf["ssl_server_cert"]); if ($svr_cert != false) { if(base64_decode($svr_cert['prv'])) { @@ -1055,7 +1062,7 @@ else { random_file = \${certdir}/random fragment_size = $vareapconffragmentsize include_length = $vareapconfincludelength - # check_crl = yes + {$check_crl} CA_path = \${cadir} $vareapconfcheckcertissuer $vareapconfcheckcertcn @@ -1120,6 +1127,18 @@ function freeradius_get_ca_certs() { } // Gets started from freeradiuseapconf.xml +function freeradius_get_ca_crl() { + global $config; + $crl_arr = array(); + $crl_arr[] = array('refid' => 'none', 'descr' => 'none'); + + foreach ($config['crl'] as $crl) { + $crl_arr[] = array('refid' => $crl['refid'], 'descr' => $crl['descr']); + } + return $crl_arr; +} + +// Gets started from freeradiuseapconf.xml function freeradius_get_server_certs() { global $config; $cert_arr = array(); diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml index ac761523..d9c39c4f 100644 --- a/config/freeradius2/freeradiuseapconf.xml +++ b/config/freeradius2/freeradiuseapconf.xml @@ -10,6 +10,7 @@ freeradiuseapconf.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Marcello Coutinho (revocation list code) All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -171,7 +172,7 @@ <b>uncheked</b>: FreeRADIUS Cert-Manager (not recommended) (Default: unchecked)<br> <b>cheked</b>: Firewall Cert-Manager (recommended)]]></description> <type>checkbox</type> - <enablefields>ssl_ca_cert,ssl_server_cert,vareapconfenableclientp12</enablefields> + <enablefields>ssl_ca_cert,ssl_ca_crl,ssl_server_cert,vareapconfenableclientp12</enablefields> </field> <field> <fielddescr>Private Key Password</fielddescr> @@ -191,6 +192,17 @@ <source_value>refid</source_value> </field> <field> + <fielddescr>SSL Revocation List</fielddescr> + <fieldname>ssl_ca_crl</fieldname> + <description><![CDATA[Choose the SSL CA Certficate revocation list here which you created with the firewall's Cert Manager.<br> + Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]></description> + <type>select_source</type> + <source><![CDATA[freeradius_get_ca_crl()]]></source> + <source_name>descr</source_name> + <source_value>refid</source_value> + </field> + + <field> <fielddescr>SSL Server Certificate</fielddescr> <fieldname>ssl_server_cert</fieldname> <description><![CDATA[Choose the SSL Server Certficate here which you created with the firewall's Cert Manager.<br> |