query on freeradius-server ocsp function and rlm_unbound

SIMON BABY simonkbaby at gmail.com
Wed Aug 19 16:00:07 CEST 2020 

Thank you Alan .

Regards
Simon

On Wednesday, August 19, 2020, Alan DeKok <aland at deployingradius.com> wrote:

> On Aug 19, 2020, at 12:55 AM, SIMON BABY <simonkbaby at gmail.com> wrote:
> > My name is Simon and I am new to this group. I have some basic queries
> > regarding the ocsp functionality in freeradius-server code.
> >
> > I am referring to the file freeradius-server-3.0.17/src/main/tls.c with
> > below code sample.
> >
> > RDEBUG2("ocsp: Using responder URL \"http://%s:%s%s\"", host, port,
> path);
> >
> >        /* Check host and port length are sane, then create Host: HTTP
> > header */
> >        if ((strlen(host) + strlen(port) + 2) > sizeof(hostheader)) {
> >                RWDEBUG("ocsp: Host and port too long");
> >                goto skipped;
> >        }
> >        snprintf(hostheader, sizeof(hostheader), "%s:%s", host, port);
> >
> >        /* Setup BIO socket to OCSP responder */
> >        cbio = BIO_new_connect(host);
> >
> >
> > 1. How are we resolving the OCSP responder IP address from the name
> server
>
>   All of the DNS resolving is done in the BIO_new_connect() API.
>
> > ? Are we using DNS/DNSSEC (unbound APIs) ?
>
>   No.
>
> > 2. Do we really need to do DNSSEC  validation for resolving OCSP domain
> > names?
>
>   No.
>
> > 3. May I know in which file the BIO_ APIs are implemented?
>
>   OpenSSL.  Search online for BIO_new_connect(), and you'll get lots of
> OpenSSL documentation.
>
> > 4. what is the use of the rlm_unbound module in freeradius-server
> package?
>
>   So that you can create RADIUS attributes which contain DNS names.
>
> > Can I use it for resolving OCSP name servers?
>
>   No.  All of the DNS resolution is buried inside of OpenSSL.
>
>   The short answer here is that you don't need asynchronous DNS
> resolution.  You need a DNS server which is fast, and which stays up.
>
>   If RADIUS is a critical production system, then everything it needs is
> critical, too.  You can't take down systems needed by RADIUS, and expect
> the RADIUS server to do... what, exactly?  Stay up?  Keep running?
>
>   This goes for DNS, databases, etc.  There's only so much you can do in a
> RADIUS server to work around the issue of "something I need is down".
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html

More information about the Freeradius-Users mailing list