Security considerations for SSL_get_quiet_shutdown

august huber august.huber at gmail.com
Wed Jun 13 16:17:51 CEST 2012


On Wed, Jun 13, 2012 at 3:50 PM, Alan DeKok <aland at deployingradius.com>wrote:

> august huber wrote:
> > I have to disagree here, it is useful for the client to understand that
> > their transaction failed due to an expired cert versus a revoked cert
> > versus having sent a cert that does not verify up to a known CA chain
> > (as some platforms are especially bad at self selecting credentials when
> > more than one is present)
>
>   I'm not sure those errors are sent anywhere.  Most clients would never
> show them to the user.
>
Alternate idea, perhaps passing this data back in an EAP-Notify before
EAP-Failure would be the proper integration point?


>
> > For a complete list of alerts that are supported see RFC2246 Section 7.2
> > OpenSSL is already populating this for us during the verify, FreeRadius
> > is explicitly removing it from the response.
>
>   Yes.  As I said, that's largely intentional.
>
> > This will not cause the connections to remain open, but instead will
> > send an Alert with the cause during the shutdown.
>
>   It won't keep them open *forever*.  It will keep them open past the
> point where the user has been rejected.
>
>  It might work, I don't know.  But the last I recalled was that
> SSL_quiet_shutdown was needed.
>
>  See the git logs for details.  It's in there somewhere.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/devel.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20120613/91210309/attachment.html>


More information about the Freeradius-Devel mailing list