Patch freeradius-server-release_3_0_25 for choosing server certificate based on SNI in tls client hello
Freeradius provides the ability to respond with different server certificates depending on SNI (Server-name-Indication) in the radsec's TLS client hello msg. But this functionality didn't work (always returned default server certificate irrespective of SNI). This is because in the callback tls_sni_callback, conf->realms check was failing. This comes from the tls_reals_load function in tls.c file where a hashtable is created and entries are added but conf->realms didn't get assigned to this hashtable. Following patch fixes the issues. Please correct if my understanding/root cause is incorrect. --- tls.c.orig 2022-01-21 05:51:27.428815007 +0000 +++ tls.c 2022-01-21 05:51:42.592755195 +0000 @@ -4505,7 +4505,7 @@ goto error; } } - + conf->realms = ht; return 0; }
On Jan 21, 2022, at 1:53 AM, Natarajan M <natarajan.m@gmail.com> wrote:
Freeradius provides the ability to respond with different server certificates depending on SNI (Server-name-Indication) in the radsec's TLS client hello msg. But this functionality didn't work (always returned default server certificate irrespective of SNI). This is because in the callback tls_sni_callback, conf->realms check was failing. This comes from the tls_reals_load function in tls.c file where a hashtable is created and entries are added but conf->realms didn't get assigned to this hashtable. Following patch fixes the issues. Please correct if my understanding/root cause is incorrect.
You're right. Thanks, I've pushed the fix. Alan DeKok.
participants (2)
-
Alan DeKok -
Natarajan M