<br><br><div class="gmail_quote">On Wed, Jun 13, 2012 at 2:53 PM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">august huber wrote:<br>
> While performing some integration work with FreeRadius I have hit some<br>
> barriers in providing meaningful errors to clients during failed SSL<br>
> (eap_tls) transactions. I was perplexed to discover that all SSL<br>
> contexts receive SSL_get_quiet_shutdown(ctx,1) called before shutdown.<br>
> I'm curious about the logic behind this decision; specifically is it<br>
> targeted to decrease attacker awareness of failure modes or a function<br>
> of poor client integration causing some platform to barf when it<br>
> receives a TLS Alert message? If neither, does anyone know how this<br>
> change made it there?<br>
<br>
</div> If I recall, it's because there's no real point in sending anything to<br>
the client. The EAP session has already failed. Sending more<br>
information as to *why* it failed isn't useful.<br>
<br>
Having the SSL session hang around waiting to send more data isn't<br>
useful either.<br></blockquote><div>I have to disagree here, it is useful for the client to understand that their transaction failed due to an expired cert versus a revoked cert versus having sent a cert that does not verify up to a known CA chain (as some platforms are especially bad at self selecting credentials when more than one is present)<br>
For a complete list of alerts that are supported see RFC2246 Section 7.2<br>OpenSSL is already populating this for us during the verify, FreeRadius is explicitly removing it from the response.<br><br>This will not cause the connections to remain open, but instead will send an Alert with the cause during the shutdown.<br>
<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="im"><br>
> Adding a conflg flag seems relatively straightforward for this case to<br>
> preserve the silent functionality when desired, but wanted to query the<br>
> list to see if anyone has a strong opinion before I do.<br>
<br>
</div> I'm not really sure it's a good idea.<br>
<span class="HOEnZb"><font color="#888888"><br>
Alan DeKok.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/devel.html" target="_blank">http://www.freeradius.org/list/devel.html</a><br>
</font></span></blockquote></div><br>