Yes I am using RADSEC which uses TLS. I see in TLS establishment procedure first part is TCP connection and then starts TLS handshake to make a secure connection. I am facing an issue in the first part in TCP connect, thread get stuck here in *fr_socket_client_tcp and *does not come out for 2 mins if AAA server is down or network is unavailable which impacts other radius messages to process around that time. This blocks the complete server to process any message. My doubt is whether this TCP blocking for 2 mins before the TLS handshake procedure gets fixed with this TLS non-blocking PRs ? Thanks, Saurabha On Tue, Jun 6, 2023 at 11:32 AM Alan DeKok <aland@deployingradius.com> wrote:
On Jun 6, 2023, at 7:57 AM, saurabha badhai <saurabha.badhai@gmail.com> wrote:
Yes got it, so in TLS connection, TCP connect can be used as non-Blocking mode now with the PR #5013 without any issue, Could you please confirm ?
If you read the code, you'll see that bare TCP cannot be used in non-blocking mode.
The non-blocking code uses the internal TLS buffers to write data when the TCP connection is blocked. Those TLS buffers don't exist for RADIUS/TCP. So they're not used.
In short: don't use RADIUS/TCP. It's insecure. It offers no value over RADIUS/UDP, or RADIUS/TLS.
Just use RADIUS/TLS.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html