EAP-TLS - How to log TLS-Client-Cert-* attributes from expired certificates

Andreas Gryphius lists.freeradius.org at ulle.dyndns.org
Fri Feb 15 18:04:19 CET 2019


Hi Alan,

Am 15.02.19 um 14:35 schrieb Alan DeKok:
> On Feb 15, 2019, at 6:12 AM, Andreas Gryphius <lists.freeradius.org at ulle.dyndns.org> wrote:
>> I am not a programmer, but I see a return in that function quite earlier:
>> ...
>> But that doesn't make a difference as I want to stay with my distro's package.
> 
>    I don't know why.
> 
>    Later versions of the server have bugs fixed, minor new features, and better debugging.  In many, many cases people ask "why doesn't this work?" and the answer is "you're running something that's 5 years old: upgrade".
> 
>    And all too often, the answer is "no".
> 
>    Well...

I did not want to complain. If the issue was severe enough for me, I 
would go the way with compiling by myself.

> 
>> Any chance that I can get further with involving some other module (i.e. cache or cache_eap)?
> 
>    Nope.
> 
>    When it rejects the expired cert, it deletes all of the certificate attributes that it created.  Changing that involves source code changes.
> 

Okay. At least I know now that there is no work around. So thank you for 
pointing that out. If needed, I can catch the certificate data while in 
debug mode.
And as Matthew already pointed to the right file in source code, anyone 
coming here (by search engines) can build his own fix.


By the way, it looks like my issue would still be the same with 
freeradius current state in github:
https://github.com/FreeRADIUS/freeradius-server/blob/master/src/lib/tls/validate.c#L198 

Same return command like in 3.0.x-code for certificate errors. 
Unfortunately without adding the certificate attributes into a list 
(request) before ...

Andreas


More information about the Freeradius-Users mailing list