Security considerations for SSL_get_quiet_shutdown

Alan DeKok aland at deployingradius.com
Wed Jun 13 15:50:49 CEST 2012


august huber wrote:
> I have to disagree here, it is useful for the client to understand that
> their transaction failed due to an expired cert versus a revoked cert
> versus having sent a cert that does not verify up to a known CA chain
> (as some platforms are especially bad at self selecting credentials when
> more than one is present)

  I'm not sure those errors are sent anywhere.  Most clients would never
show them to the user.

> For a complete list of alerts that are supported see RFC2246 Section 7.2
> OpenSSL is already populating this for us during the verify, FreeRadius
> is explicitly removing it from the response.

  Yes.  As I said, that's largely intentional.

> This will not cause the connections to remain open, but instead will
> send an Alert with the cause during the shutdown.

  It won't keep them open *forever*.  It will keep them open past the
point where the user has been rejected.

  It might work, I don't know.  But the last I recalled was that
SSL_quiet_shutdown was needed.

  See the git logs for details.  It's in there somewhere.

  Alan DeKok.


More information about the Freeradius-Devel mailing list