TLS failover behaviour and a backtrace if want it.

FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) andy.franks1 at nhs.net
Mon Nov 18 14:44:25 CET 2019


Hi,
  Using 3.0.19 on Ubuntu from the Ubuntu networkradius repo.
I've been doing some testing on tls proxy connections.

sites-enabled/tls below.

home_server rsh-haproxy-rp1 {
        ipaddr = 192.168.110.46
        port = 2083
        type = auth
        secret = radsec
        proto = tcp
        status_check = none
        tls {
                private_key_file = /etc/freeradius/certs/privkey.pem
                certificate_file = /etc/freeradius/certs/fullchain.pem
                ca_file = /etc/ssl/certs/ca-certificates.crt
                dh_file = ${certdir}/dh
                random_file = /dev/urandom
                fragment_size = 8192
                ca_path = ${cadir}
                cipher_list = "DEFAULT"
        }
        limit {
                idle_timeout = 0
        }
}

home_server prh-haproxy-rp1 {
        ipaddr = 192.168.12.200
        port = 2083
        type = auth
        secret = radsec
        proto = tcp
        status_check = none
        tls {
                private_key_file = /etc/freeradius/certs/privkey.pem
                certificate_file = /etc/freeradius/certs/fullchain.pem
                ca_file = /etc/ssl/certs/ca-certificates.crt
                dh_file = ${certdir}/dh
                random_file = /dev/urandom
                fragment_size = 8192
                ca_path = ${cadir}
                cipher_list = "DEFAULT"
        }
}

home_server_pool some_radius_servers {
        type = fail-over
        home_server = rsh-haproxy-rp1
        home_server = prh-haproxy-rp1
}

realm DEFAULT {
        auth_pool = some_radius_servers
}

Firstly, I must admit I expected failover to be "within same request", but it takes a repeat request from the client should a tls server be unavailable. I guess this is just me misunderstanding the failover for tls, I assumed same as something like a redundant {} section.

If the server isn't listening on 2083, i.e. service stopped:

..
(1) Starting proxy to home server 192.168.110.46 port 2083
(1) server default {
(1) }
Failed opening new proxy socket 'proxy (0.0.0.0, 0) -> home_server (192.168.110.46, 2083)' : Failed connecting socket: Connection refused
(1) Failed to insert request into the proxy list
(1) There was no response configured: rejecting request
..

If the client repeats the request, it tries the next server ok, but I'd be a little concerned some might not after a direct reject reply.

Could someone please confirm this is by design?

Also, I'm noticing a crash if the home server pool is depleted to zero, i.e. all servers are down. It's unlikely to happen, but you may be interested in coding these out.

..
(2)   } # authorize = updated
(2) ERROR: Failed to find live home server: Cancelling proxy
(2) WARNING: No home server selected
(2) Clearing existing &reply: attributes
(2) Found Post-Proxy-Type Fail-Authentication

Thread 3 "freeradius" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe552e700 (LWP 169613)]
0x0000555555587c8b in ?? ()
(gdb) bt
#0  0x0000555555587c8b in ?? ()
#1  0x000055555558e61a in ?? ()
#2  0x0000555555586a75 in ?? ()
#3  0x00007ffff6bde6db in start_thread (arg=0x7fffe552e700) at pthread_create.c:463
#4  0x00007ffff644b88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thanks
Andy


********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail



More information about the Freeradius-Users mailing list