Hi, On Thu, Feb 09, 2012 at 04:42:31PM +0100, Alan DeKok wrote:
Matthew Newton wrote:
If the tls config HAS to be called common_tls, inside the eap module, then there's no need for the "tls=" entry any more - which could be another way of doing it, albeit slightly less flexible.
There may be use-cases where multiple virtual servers can share the same TLS configuration. Permitting a layer of indirection doesn't cost much, and is useful.
I've been a bit busy with other things, but have now got around to doing this. There's a branch at the following URL with a set of patches to do it. https://github.com/mcnewton/freeradius-server/commits/patch-tls-option Essentially they follow your helpful suggestions in the previous e-mail. It's something like: - Rejig config and eaptls_attach to move TLS specific options out from EAP-TLS section - update eaptls_initiate to just deal with EAP-TLS, moving session code to libeap - Add TLS config parsing to EAP-PEAP attach - add an eappeap_initiate function - ditto for EAP-TTLS - remove the "Wild & crazy stuff" from eap.c :-) - tidy the config a bit and add explanatory comments. The code also has a fallback, so if the new tls= options are not specified it will read the config as v2.x currently does (e.g. tls{} must exist before peap and ttls will load). There are still a few tiny bits that are duplicated between TLS/PEAP/TTLS, but it's a close call whether these are worth putting into some library function, or just leaving as-is for clarity. This lot now means that there should be no dependencies between PEAP/TTLS and TLS, so they each stand on their own. I think from the config perspective, it's also a lot cleaner as it's removed the dependency where you need EAP-TLS, even though you don't use it. It's tidied some switch()/if()s from the code, too.
The HARD thing about this is now the TLS configuration will be loaded multiple times. Once each for EAP-TLS, TTLS, and PEAP. Finding a way to avoid that would be good.
Agreed.
I have a simple way. :) Get me a patch as suggested, and fixing the "loading certs twice" problem is another ~5 lines of code.
I did this by caching the result in tls_server_conf_parse - if it's passed the same CONF_SECTION as the previous time, it returns the same conf pointer. As the EAP sections are pretty much always going to be called consecutively, this saves re-parsing each time. It was about 5 lines of code - dunno if it was what you were thinking or not ;-) Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>