expansion issue in external command
Alan Buxey
A.L.M.Buxey at lboro.ac.uk
Fri Jun 10 14:12:10 CEST 2011
Hi,
> > in the TLS RADSEC configuration, if I want to use OpenSSL for external
> > verification (which i cant FULLY do...but still), I get the following
> > error if I use the ${certdir} expansion - as used all throughout the
> > rest of the config
>
> That *should* work...
I thought it should too. however, it just complains about unknown variable.
> > (0) Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/radsec/CA.crt -purpose crlsign %{TLS-Client-Cert-Filename}
> > (0) expand: %{TLS-Client-Cert-Filename} -> /etc/raddb/temporary/radiusd.client.XXP6KU60
> > Exec-Program output: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK
> > Exec-Program-Wait: plaintext: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK
> > Exec-Program: returned: 0
> > (0) Client certificate CN server.camford.ac.uk passed external validation
> ...
> > ...I'm guessing the OK message is the issue here - the command exited OK but the condition certainly isnt.
>
> Isn't OpenSSL grand? If verification fails, the command still returns
> "success".
>
> Crazy.
>
> Instead, you probably have to root through the output of OpenSSL, to
> see if it says "success" or "error".
looks that way. the output from a successful verify looks like
server.lboro.ac.uk-eduPKI.pem: OK
(and thats all, nothing else....of course, this might change with different version of OpenSSL)
alan
More information about the Freeradius-Devel
mailing list