3.10.22. EAPTLS_CRLFile Previous topic Parent topic Child topic Next topic

For TLS-based EAP types, such as TLS, TTLS, and PEAP, and where CRL checking has been enabled with EAPTLS_CRLCheck, this optional parameter specifies one or more CRL files that are used to check client certificates for revocation. These files are also used when EAPTLS_CRLCheckAll is enabled. Special characters are supported.
If a CRL file is not found, or if the CRL says the certificate has been revoked, TLS authentication will fail with an error:
SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
To ease automation, CRLs may follow a file naming convention where each CRL file uses a special file name in EAPTLS_CAPath directory. Setting up this directory is described in Section 3.11.3. TLS_CAPath. In this case you do not need to configure EAPTLS_CRLFile.
If CRLs are not stored in the CAPath directory, one or more CRLs can be named with multiple EAPTLS_CRLFile parameters. The intended way CRL reloading works is this: Each CRL file named with EAPTLS_CRLFile will be automatically reloaded and reread at the start of each new EAP-TLS, EAP-TTLS or PEAP session if the modification date of the named CRL file has changed since the last time it was loaded. If the CRL for a particular issuer changes, it is sufficient to replace the existing CRL file with the newer version and Radiator will reload the new CRL when required.
Tip
Operating system wildcards are supported, so you can name multiple CRLs with a single wildcard like:
EAPTLS_CRLFile %D/crls/revocations-*.pem