freeradius: insufficient CRL validation

2015-08-14T00:00:00
ID ASA-201508-6
Type archlinux
Reporter Arch Linux
Modified 2015-08-14T00:00:00

Description

The FreeRADIUS server relies on OpenSSL to perform certificate validation, including Certificate Revocation List (CRL) checks. The FreeRADIUS usage of OpenSSL, in CRL application, limits the checks to leaf certificates, therefore not detecting revocation of intermediate CA certificates. An unexpired client certificate, issued by an intermediate CA with a revoked certificate, is therefore accepted by FreeRADIUS.