august huber wrote:
I have to disagree here, it is useful for the client to understand that their transaction failed due to an expired cert versus a revoked cert versus having sent a cert that does not verify up to a known CA chain (as some platforms are especially bad at self selecting credentials when more than one is present)
I'm not sure those errors are sent anywhere. Most clients would never show them to the user.
For a complete list of alerts that are supported see RFC2246 Section 7.2 OpenSSL is already populating this for us during the verify, FreeRadius is explicitly removing it from the response.
Yes. As I said, that's largely intentional.
This will not cause the connections to remain open, but instead will send an Alert with the cause during the shutdown.
It won't keep them open *forever*. It will keep them open past the point where the user has been rejected. It might work, I don't know. But the last I recalled was that SSL_quiet_shutdown was needed. See the git logs for details. It's in there somewhere. Alan DeKok.