query on freeradius-server ocsp function and rlm_unbound

Alan DeKok aland at deployingradius.com
Wed Aug 19 13:55:28 CEST 2020


On Aug 19, 2020, at 12:55 AM, SIMON BABY <simonkbaby at gmail.com> wrote:
> My name is Simon and I am new to this group. I have some basic queries
> regarding the ocsp functionality in freeradius-server code.
> 
> I am referring to the file freeradius-server-3.0.17/src/main/tls.c with
> below code sample.
> 
> RDEBUG2("ocsp: Using responder URL \"http://%s:%s%s\"", host, port, path);
> 
>        /* Check host and port length are sane, then create Host: HTTP
> header */
>        if ((strlen(host) + strlen(port) + 2) > sizeof(hostheader)) {
>                RWDEBUG("ocsp: Host and port too long");
>                goto skipped;
>        }
>        snprintf(hostheader, sizeof(hostheader), "%s:%s", host, port);
> 
>        /* Setup BIO socket to OCSP responder */
>        cbio = BIO_new_connect(host);
> 
> 
> 1. How are we resolving the OCSP responder IP address from the name server

  All of the DNS resolving is done in the BIO_new_connect() API.

> ? Are we using DNS/DNSSEC (unbound APIs) ?

  No.

> 2. Do we really need to do DNSSEC  validation for resolving OCSP domain
> names?

  No.

> 3. May I know in which file the BIO_ APIs are implemented?

  OpenSSL.  Search online for BIO_new_connect(), and you'll get lots of OpenSSL documentation.

> 4. what is the use of the rlm_unbound module in freeradius-server package?

  So that you can create RADIUS attributes which contain DNS names.

> Can I use it for resolving OCSP name servers?

  No.  All of the DNS resolution is buried inside of OpenSSL.

  The short answer here is that you don't need asynchronous DNS resolution.  You need a DNS server which is fast, and which stays up.

  If RADIUS is a critical production system, then everything it needs is critical, too.  You can't take down systems needed by RADIUS, and expect the RADIUS server to do... what, exactly?  Stay up?  Keep running?

  This goes for DNS, databases, etc.  There's only so much you can do in a RADIUS server to work around the issue of "something I need is down".

  Alan DeKok.




More information about the Freeradius-Users mailing list