query on freeradius-server ocsp function and rlm_unbound

SIMON BABY simonkbaby at gmail.com
Wed Aug 19 20:57:35 CEST 2020


Hi Alan,

I was looking into the openssl code flow to understand how  the  DNS
resolution is handled inside OpenSSL. I see the API below but could not
find the final DNS resolution code. Could you please send me some part of
the code/APIs/files I can start looking  into?

BIO_new_connect calls BIO_new() and BIO_set_conn_hostname() which is
defined as below.
#define BIO_set_conn_hostname( b
<https://docs.huihoo.com/doxygen/openssl/1.0.1c/des_8c.html#af55342ae4b8be9b599750497bddc6687>
, name )   BIO_ctrl
<https://docs.huihoo.com/doxygen/openssl/1.0.1c/include_2openssl_2bio_8h.html#a4848f0780343771e303f41c997b53248>
(b
<https://docs.huihoo.com/doxygen/openssl/1.0.1c/des_8c.html#af55342ae4b8be9b599750497bddc6687>
,BIO_C_SET_CONNECT
<https://docs.huihoo.com/doxygen/openssl/1.0.1c/include_2openssl_2bio_8h.html#a7cd7a9876a0044cfbc16aa3e08b95687>,0,(char
*)name) .
BIO_ctrl() is defined in the file crypto/bio/bio_lib.c.
long BIO_ctrl
<https://docs.huihoo.com/doxygen/openssl/1.0.1c/crypto_2bio_2bio_8h.html#a4848f0780343771e303f41c997b53248>
(BIO <https://docs.huihoo.com/doxygen/openssl/1.0.1c/structbio__st.html>
*b, int cmd, long larg, void *parg)

Thank you for your great help

Regards
Simon

On Wed, Aug 19, 2020 at 7:00 AM SIMON BABY <simonkbaby at gmail.com> wrote:

> Thank you Alan .
>
> Regards
> Simon
>
> On Wednesday, August 19, 2020, Alan DeKok <aland at deployingradius.com>
> wrote:
>
>> On Aug 19, 2020, at 12:55 AM, SIMON BABY <simonkbaby at gmail.com> wrote:
>> > My name is Simon and I am new to this group. I have some basic queries
>> > regarding the ocsp functionality in freeradius-server code.
>> >
>> > I am referring to the file freeradius-server-3.0.17/src/main/tls.c with
>> > below code sample.
>> >
>> > RDEBUG2("ocsp: Using responder URL \"http://%s:%s%s\"", host, port,
>> path);
>> >
>> >        /* Check host and port length are sane, then create Host: HTTP
>> > header */
>> >        if ((strlen(host) + strlen(port) + 2) > sizeof(hostheader)) {
>> >                RWDEBUG("ocsp: Host and port too long");
>> >                goto skipped;
>> >        }
>> >        snprintf(hostheader, sizeof(hostheader), "%s:%s", host, port);
>> >
>> >        /* Setup BIO socket to OCSP responder */
>> >        cbio = BIO_new_connect(host);
>> >
>> >
>> > 1. How are we resolving the OCSP responder IP address from the name
>> server
>>
>>   All of the DNS resolving is done in the BIO_new_connect() API.
>>
>> > ? Are we using DNS/DNSSEC (unbound APIs) ?
>>
>>   No.
>>
>> > 2. Do we really need to do DNSSEC  validation for resolving OCSP domain
>> > names?
>>
>>   No.
>>
>> > 3. May I know in which file the BIO_ APIs are implemented?
>>
>>   OpenSSL.  Search online for BIO_new_connect(), and you'll get lots of
>> OpenSSL documentation.
>>
>> > 4. what is the use of the rlm_unbound module in freeradius-server
>> package?
>>
>>   So that you can create RADIUS attributes which contain DNS names.
>>
>> > Can I use it for resolving OCSP name servers?
>>
>>   No.  All of the DNS resolution is buried inside of OpenSSL.
>>
>>   The short answer here is that you don't need asynchronous DNS
>> resolution.  You need a DNS server which is fast, and which stays up.
>>
>>   If RADIUS is a critical production system, then everything it needs is
>> critical, too.  You can't take down systems needed by RADIUS, and expect
>> the RADIUS server to do... what, exactly?  Stay up?  Keep running?
>>
>>   This goes for DNS, databases, etc.  There's only so much you can do in
>> a RADIUS server to work around the issue of "something I need is down".
>>
>>   Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>


More information about the Freeradius-Users mailing list