On Wed, Jun 13, 2012 at 3:50 PM, Alan DeKok <aland@deployingradius.com> wrote:
august huber wrote:
> I have to disagree here, it is useful for the client to understand that
> their transaction failed due to an expired cert versus a revoked cert
> versus having sent a cert that does not verify up to a known CA chain
> (as some platforms are especially bad at self selecting credentials when
> more than one is present)

 I'm not sure those errors are sent anywhere.  Most clients would never
show them to the user.
Alternate idea, perhaps passing this data back in an EAP-Notify before EAP-Failure would be the proper integration point?
 

> For a complete list of alerts that are supported see RFC2246 Section 7.2
> OpenSSL is already populating this for us during the verify, FreeRadius
> is explicitly removing it from the response.

 Yes.  As I said, that's largely intentional.

> This will not cause the connections to remain open, but instead will
> send an Alert with the cause during the shutdown.

 It won't keep them open *forever*.  It will keep them open past the
point where the user has been rejected.

 It might work, I don't know.  But the last I recalled was that
SSL_quiet_shutdown was needed.

 See the git logs for details.  It's in there somewhere.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html