3.0.x: persistent TLS session cache
Hi, now on 3.0.x to follow the die on exit code fixes... and found something else: I've configured TLS session caches in mods-enabled/eap. The directory to cache sessions in exists, and with the user radiusd on the shell I can touch files in that directory. And yet: (3) eap_peap : TLS_accept: SSLv3 write finished A (3) eap_peap : TLS_accept: SSLv3 flush data SSL: adding session 9b8b9b86357428cced36cd4aac564d9b17a6258cd84cf070b38a974eb563f62c to cache SSL: could not open session file %{logdir}/tlscache-eduroam-users/9b8b9b86357428cced36cd4aac564d9b17a6258cd84cf070b38a974eb563f62c.asn1: (3) eap_peap : (other): SSL negotiation finished successfully SSL Connection Established Well, I used %{logdir} in my persist_dir setting in the config alright, but... looking at the code, this debug message prints exactly what's being used for the open() call - so %{logdir} should have been expanded to the literal path, right? Is there some xlat() missing here? Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Stefan Winter wrote:
9b8b9b86357428cced36cd4aac564d9b17a6258cd84cf070b38a974eb563f62c to cache SSL: could not open session file %{logdir}/tlscache-eduroam-users/9b8b9b86357428cced36cd4aac564d9b17a6258cd84cf070b38a974eb563f62c.asn1:
That filename isn't dynamically expanded. You need to use ${logdir}
Well, I used %{logdir} in my persist_dir setting in the config alright,
It's probably wrong.
but... looking at the code, this debug message prints exactly what's being used for the open() call - so %{logdir} should have been expanded to the literal path, right?
Is there some xlat() missing here?
Maybe. You also need to separate *configuration* variables from *request* variables. The configuration variables are static, and read from the config files. They're ${foo}. The request variables are dynamic, and change with every request. They're all %{foo} %{logdir} is wrong. It's interpreted as a request attribute. But the 'logdir' attribute doesn't exist, so it expands to nothing. %{User-Name} is very different from ${logdir}. Alan DeKok.
Hi,
Well, I used %{logdir} in my persist_dir setting in the config alright,
It's probably wrong.
Gah! I read the sample config file n times - but for the life of me didn't spot % vs. $ in that line. Sorry for the noise. I think I've got a more real issue with the session cache, but will have a coffee first. Stefan
but... looking at the code, this debug message prints exactly what's being used for the open() call - so %{logdir} should have been expanded to the literal path, right?
Is there some xlat() missing here?
Maybe.
You also need to separate *configuration* variables from *request* variables. The configuration variables are static, and read from the config files. They're ${foo}. The request variables are dynamic, and change with every request. They're all %{foo}
%{logdir} is wrong. It's interpreted as a request attribute. But the 'logdir' attribute doesn't exist, so it expands to nothing.
%{User-Name} is very different from ${logdir}.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
participants (2)
-
Alan DeKok -
Stefan Winter