Session Resumption fails

Panagiotis Georgopoulos panos at comp.lancs.ac.uk
Tue Oct 5 17:48:00 CEST 2010


Hi Alexander, all,

	Please see below...

> Panagiotis Georgopoulos <panos at comp.lancs.ac.uk> wrote:
> >
> > #Debug:   SSL: adding session
> > 5705534d65ddd08de3b8649528274c1bc4e3d648bef7b643ffaf0f647afcac73 to
> > cache ... what I never ever see though is to try and do session
resumption
> > (i.e. see "Skipping Phase2 due to session resumption"). How can I
fix/debug
> > that?
> >
> > Is anyone using session resumption successfully in 2.1.10?
> >
> Sorry for the late reply, just tested it now and it works fine for me
> in 2.1.10.
> 
> (snip)

Thanks for your reply Alexander, that is very helpful.

After a lot of days over weeks of testing I found it impossible to make
session resumption to work on 2.1.10 no matter the changes I did in my
configuration files :-/ I am not sure, but judging from the outcome it seems
that the exact version of OpenSSL I am running is to blame here. The machine
I am running FR on, was running OpenSSL 0.9.8g and when I moved to 0.9.8k
session resumption started working. I am still debugging this though... What
version of OpenSSL are you running on your FR?

(By the way, from a previous post in the list it is suggested that if both
server and client run OpenSSL version 0.9.8j or later then stateless session
resumption can be supported. Incidentally my end-client still runs 0.9.8g)

I am having use_tunneled_reply enabled and now I do not have to do update
reply to let SSL know about the User-Name of the inner-tunnel as the
aforementioned option does it form me. However, as I have mentioned in the
past, in my Access-Accept reply I see *two* pairs of MPPE keys (Send and Rec
twice), and I have to remove them in post-auth of inner-tunnel with the
following : 

	update reply {
		MS-MPPE-Recv-Key !* 0x00
		MS-MPPE-Send-Key !* 0x00
	}

Am I guessing right that you don't experience the above because you use
LDAP? I am still trying to figure out why the extra pair of keys appear in
the packet and whether I could configure FR not to add them in the first
place instead of removing them.... 

I will try also to check if session resumption works in EAP-TLS in my
current setup to see what happens.

Thanks for your feedback. 

Cheers,
Panos

PS. If you care for a debug output here it is : http://pastebin.com/M0EQTi4q
(i highlighted the relevant bits for easier read)




More information about the Freeradius-Users mailing list