Hello, I'm currently working on configuring the TLS cache and noticed that, upon reconnection, the client rewrites both files (.asn1 and .vps) in the configured directory. From what I understand, it should reuse the information stored in those files to avoid reestablishing the TLS connection from scratch. Alan, I promise I’ve read the comments in the configuration files, but I’m still struggling to fully understand how it works. I’d really appreciate it if you could help clarify this for me. root@loli-pc:/var/log/freeradius/tlscache# ll total 24K drwxr-xr-x 2 freerad freerad 4,0K jul 19 07:54 . drwxr-x--- 4 freerad freerad 4,0K jul 19 06:03 .. -rw------- 1 freerad freerad 1,2K jul 19 07:54 35b6e644d6e9796809a07643ceee2542bcf311ef233ba29f8cec94d87d26e36f.asn1 -rw-r--r-- 1 freerad freerad 1,5K jul 19 07:54 35b6e644d6e9796809a07643ceee2542bcf311ef233ba29f8cec94d87d26e36f.vps -rw------- 1 freerad freerad 1,2K jul 19 07:54 95c5a5a5c3d3a9d5dfc5055fb9e68097f5f53d64ce5b0fbd0c8a2ffaadba6fc8.asn1 -rw-r--r-- 1 freerad freerad 1,5K jul 19 07:54 95c5a5a5c3d3a9d5dfc5055fb9e68097f5f53d64ce5b0fbd0c8a2ffaadba6fc8.vps Fisrts connection 8) # Executing group from file /etc/freeradius/sites-enabled/default (8) authenticate { (8) eap: Removing EAP session with state 0x08b1afdb0eb6a23f (8) eap: Previous EAP request found for state 0x08b1afdb0eb6a23f, released from the list (8) eap: Peer sent packet with method EAP TLS (13) (8) eap: Calling submodule eap_tls to process data (8) eap_tls: (TLS) EAP Got final fragment (110 bytes) total 2642 (8) eap_tls: (TLS) EAP Done initial handshake (8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server done (8) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Certificate (8) eap_tls: (TLS) TLS - Creating attributes from 2 certificate in chain (8) eap_tls: TLS-Cert-Serial := "7903974cb1367854b0fb2ee672ff78c68211ba5e" (8) eap_tls: TLS-Cert-Expiration := "250726070714Z" (8) eap_tls: TLS-Cert-Valid-Since := "250527070714Z" (8) eap_tls: TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=free.loli.local" (8) eap_tls: TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=free.loli.local" (8) eap_tls: TLS-Cert-Common-Name := "free.loli.local" (8) eap_tls: TLS-Cert-CRL-Distribution-Points += " http://www.example.org/example_ca.crl" (8) eap_tls: (TLS) TLS - Creating attributes from 1 certificate in chain (8) eap_tls: TLS-Client-Cert-Serial := "02" (8) eap_tls: TLS-Client-Cert-Expiration := "250726070721Z" (8) eap_tls: TLS-Client-Cert-Valid-Since := "250527070721Z" (8) eap_tls: TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example Inc./CN=lolito/emailAddress=userdsdsd@example.org" (8) eap_tls: TLS-Client-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress= admin@example.org/CN=free.loli.local" (8) eap_tls: TLS-Client-Cert-Common-Name := "lolito" (8) eap_tls: TLS-Client-Cert-CRL-Distribution-Points += " http://www.example.com/example_ca.crl" (8) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (8) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "FD:D3:42:C8:4A:F1:0C:65:A5:A3:B6:8E:2A:73:B0:FA:B2:0D:CF:CD" (8) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "86:BC:40:4A:6E:B2:66:02:81:A5:75:19:DF:93:B8:AD:12:75:75:60" (8) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client certificate (8) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, ClientKeyExchange (8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client key exchange (8) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, CertificateVerify (8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read certificate verify (8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read change cipher spec (8) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Finished (8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read finished (8) eap_tls: (TLS) TLS - send TLS 1.2 ChangeCipherSpec (8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write change cipher spec (8) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, Finished (8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write finished (8) eap_tls: Serialising session 95c5a5a5c3d3a9d5dfc5055fb9e68097f5f53d64ce5b0fbd0c8a2ffaadba6fc8, and storing in cache (8) eap_tls: WARNING: (TLS) TLS - Wrote session 95c5a5a5c3d3a9d5dfc5055fb9e68097f5f53d64ce5b0fbd0c8a2ffaadba6fc8 to /var/log/freeradius/tlscache/95c5a5a5c3d3a9d5dfc5055fb9e68097f5f53d64ce5b0fbd0c8a2ffaadba6fc8.asn1 (1175 bytes) (8) eap_tls: (TLS) TLS - Handshake state - SSL negotiation finished successfully (8) eap_tls: (TLS) TLS - Connection Established (8) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) eap_tls: TLS-Session-Version = "TLS 1.2" (8) eap: Sending EAP Request (code 1) ID 8 length 61 (8) eap: EAP session adding &reply:State = 0x08b1afdb0fb9a23f (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) session-state: Saving cached attributes (8) Framed-MTU = 994 (8) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (8) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHello" (8) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Certificate" (8) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerKeyExchange" (8) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, CertificateRequest" (8) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, ServerHelloDone" (8) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, Certificate" (8) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, ClientKeyExchange" (8) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, CertificateVerify" (8) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake, Finished" (8) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 ChangeCipherSpec" (8) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake, Finished" (8) TLS-Cache-Filename = "/var/log/freeradius/tlscache/95c5a5a5c3d3a9d5dfc5055fb9e68097f5f53d64ce5b0fbd0c8a2ffaadba6fc8.asn1" (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (8) TLS-Session-Version = "TLS 1.2" (8) Sent Access-Challenge Id 94 from 192.168.122.1:1812 to 192.168.122.64:53296 length 119 (8) EAP-Message = 0x0108003d0d8000000033140303000101160303002805edd07841a6a266432a9833cf13cb26374e5900c2967dbef35d48b18a7f8be25844724e2f9a0645 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x08b1afdb0fb9a23fa8fead84ac6fdcc0 (8) Finished request Second (17) # Executing group from file /etc/freeradius/sites-enabled/default (17) authenticate { (17) eap: Removing EAP session with state 0x4a09d2574c0edf49 (17) eap: Previous EAP request found for state 0x4a09d2574c0edf49, released from the list (17) eap: Peer sent packet with method EAP TLS (13) (17) eap: Calling submodule eap_tls to process data (17) eap_tls: (TLS) EAP Got final fragment (110 bytes) total 2642 (17) eap_tls: (TLS) EAP Done initial handshake (17) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server done (17) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Certificate (17) eap_tls: (TLS) TLS - Creating attributes from 2 certificate in chain (17) eap_tls: TLS-Cert-Serial := "7903974cb1367854b0fb2ee672ff78c68211ba5e" (17) eap_tls: TLS-Cert-Expiration := "250726070714Z" (17) eap_tls: TLS-Cert-Valid-Since := "250527070714Z" (17) eap_tls: TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=free.loli.local" (17) eap_tls: TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=free.loli.local" (17) eap_tls: TLS-Cert-Common-Name := "free.loli.local" (17) eap_tls: TLS-Cert-CRL-Distribution-Points += " http://www.example.org/example_ca.crl" (17) eap_tls: (TLS) TLS - Creating attributes from 1 certificate in chain (17) eap_tls: TLS-Client-Cert-Serial := "02" (17) eap_tls: TLS-Client-Cert-Expiration := "250726070721Z" (17) eap_tls: TLS-Client-Cert-Valid-Since := "250527070721Z" (17) eap_tls: TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example Inc./CN=lolito/emailAddress=userdsdsd@example.org" (17) eap_tls: TLS-Client-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress= admin@example.org/CN=free.loli.local" (17) eap_tls: TLS-Client-Cert-Common-Name := "lolito" (17) eap_tls: TLS-Client-Cert-CRL-Distribution-Points += " http://www.example.com/example_ca.crl" (17) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (17) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "FD:D3:42:C8:4A:F1:0C:65:A5:A3:B6:8E:2A:73:B0:FA:B2:0D:CF:CD" (17) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "86:BC:40:4A:6E:B2:66:02:81:A5:75:19:DF:93:B8:AD:12:75:75:60" (17) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (17) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client certificate (17) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, ClientKeyExchange (17) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client key exchange (17) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, CertificateVerify (17) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read certificate verify (17) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read change cipher spec (17) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Finished (17) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read finished (17) eap_tls: (TLS) TLS - send TLS 1.2 ChangeCipherSpec (17) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write change cipher spec (17) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, Finished (17) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write finished (17) eap_tls: Serialising session 35b6e644d6e9796809a07643ceee2542bcf311ef233ba29f8cec94d87d26e36f, and storing in cache (17) eap_tls: WARNING: (TLS) TLS - Wrote session 35b6e644d6e9796809a07643ceee2542bcf311ef233ba29f8cec94d87d26e36f to /var/log/freeradius/tlscache/35b6e644d6e9796809a07643ceee2542bcf311ef233ba29f8cec94d87d26e36f.asn1 (1175 bytes) (17) eap_tls: (TLS) TLS - Handshake state - SSL negotiation finished successfully (17) eap_tls: (TLS) TLS - Connection Established (17) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (17) eap_tls: TLS-Session-Version = "TLS 1.2" (17) eap: Sending EAP Request (code 1) ID 8 length 61 (17) eap: EAP session adding &reply:State = 0x4a09d2574d01df49
On Jul 19, 2025, at 1:05 PM, Rodrigo Prieto <rodrigoprieto2019@gmail.com> wrote:
Hello, I'm currently working on configuring the TLS cache and noticed that, upon reconnection, the client rewrites both files (.asn1 and .vps) in the configured directory.
That's fine, If the files aren't changed, then the TLS resumption data could be used multiple times. i.e. it could also share it with other systems, and then multiple systems could get online. As a result, the files change every tme.
From what I understand, it should reuse the information stored in those files to avoid reestablishing the TLS connection from scratch.
Changing the files doesn't mean that it re-establishes the TLS connection from scratch. Alan DeKok.
Thanks Alan for replying. I did the test using: eapol_test -r 1 -a 127.0.0.1 -c ap.conf -s testing123 and it appears that the session is reused. It works correctly with persistdir. (18) eap_tls: Peer requested cached session: 8a6b359de164537d987b6c6bb03d83fdaff91bda8ebbbd63f6a004b69aedc768 I'm trying to use Redis and the keys are being written to the server, but I'm getting the following error when using *EAP-TLS*. If I use *TTLS-PAP*, the session is cached properly. (8) eap_tls: WARNING: (TLS) EAP Total received record fragments (216 bytes), does not equal expected data length (0 bytes) (8) eap_tls: (TLS) EAP Done initial handshake (8) eap_tls: (TLS) TLS - Handshake state - before SSL initialization (8) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization (8) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization (8) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello (8) eap_tls: Peer requested cached session: 5b188250715704e4588e1362c66ab9ac4d9ee54d3dd6879b080f3511c9a0112f (0) cache load { (0) update { rlm_redis (redis): Reserved connection (1) rlm_redis (redis): executing the query: "GET 0x5b188250715704e4588e1362c66ab9ac4d9ee54d3dd6879b080f3511c9a0112f" (0) rlm_redis (redis): Can't write result, insufficient space or unsupported result rlm_redis (redis): Released connection (1) (0) EXPAND %{redis:GET %{request:TLS-Session-ID}} (0) --> (0) &Tmp-String-0 := (0) } # update = noop (0) if (!&Tmp-String-0 || &Tmp-String-0 =~ /\|/) { (0) if (!&Tmp-String-0 || &Tmp-String-0 =~ /\|/) -> FALSE (0) update { (0) EXPAND %{Tmp-String-0} (0) --> (0) &session-state:TLS-Session-Data := 0x (0) } # update = noop (0) } # cache load = noop (8) eap_tls: WARNING: (TLS) TLS - Failed loading persisted session: error:068000E0:asn1 encoding routines::too small 127.0.0.1:6379[1]> keys * 1) "0x0911b9f3dee5a86bdbb90dffe520f7cae867f2d06c2e801391953da73a369085" 2) "0x5b188250715704e4588e1362c66ab9ac4d9ee54d3dd6879b080f3511c9a0112f" 127.0.0.1:6379[1]> keys * 1) "0x0911b9f3dee5a86bdbb90dffe520f7cae867f2d06c2e801391953da73a369085" 2) "0x5b188250715704e4588e1362c66ab9ac4d9ee54d3dd6879b080f3511c9a0112f" 127.0.0.1:6379[1]> get 0x0911b9f3dee5a86bdbb90dffe520f7cae867f2d06c2e801391953da73a369085 "0x30820497020101020203030402c03004200911b9f3dee5a86bdbb90dffe520f7cae867f2d06c2e801391953da73a3690850430e44e32fb6e4b7c7e3bcc9fbc578ca41ca97110114c24d077fdc94deb97f10eb03a033d999e0da0b3d80dd0fe0d1a412ba1060204687cdec1a2050203015180a3820402308203fe308202e6a003020102020102300d06092a864886f70d01010b0500308185310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673118301606035504030c0f667265652e6c6f6c692e6c6f63616c301e170d3235303532373037303732315a170d3235303732363037303732315a306c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e310f300d06035504030c066c6f6c69746f3124302206092a864886f70d0109011615757365726473647364406578616d706c652e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100d33575358e628bacdc3f4a81b3950808552d918ab197a30328ca140928d61ceb0a4c73ca9948816c42110f572660c422bbb9a7bca8c07666a30b9bf3a885b71225d5923a4a7cf67d16aff4adf512a937651650c50dffe24165deefcfda900317370525085d490d36217e1749cc4dfd8877efd946f7cea82fb7d089b60461d38986d6e718a345c78c427bc4448097df7b040cf56e325c151e121a27fafd31aa277b96f9e2a55cc2aa56d5ada0a2122e25760a8bac1e2fea7b87538fd68454fe48bc71cd17a7fdb5cf581069b55a53b3ff8b0bc7fe1186f1d7d4e7f95bda29cb60bf61586c06412da8a3cab742c8fc8389486ba8417fafb48ee46398e2be3119690203010001a3819030818d30130603551d25040c300a06082b0601050507030230360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c301d0603551d0e04160414fdd342c84af10c65a5a3b68e2a73b0fab20dcfcd301f0603551d2304183016801486bc404a6eb2660281a57519df93b8ad12757560300d06092a864886f70d01010b05000382010100a7aa375b9089fccfda8c5d7400bb617d7fcc04239f7ae7df3e0fd8c9a8f880536208ef12512d631cb7600beefde5c2521318eb76cca8b23e47cd4f21bcbdd745e6fda94a62285a3f79ebdefcbba7194fdfc562cd50ad5f7ef9a501ba6c0b2b28de4661165879e576b9e765283c37bc679fa91d33377b87202fb61ad527b7eff38f015fd38dc8d683ccc2c793abb443af69b60f280ec2012b515b0dbb78ac7b9eb9cdd6203e5a246f6ec79835bab59528ba48858ee80d3250ddf1d52d181e10897073e021211e1cbc8e2cc8f4c3b17b23f43a8801ced77e6ed9552f3da07e184150835464fe07aeb0f39357d362419b9bd6eadbe2b05c4dda267fd18bfee1df5ca4170415465220656170203078353539306563323262646330ad03020101b303020117" 127.0.0.1:6379[1]> get 0x5b188250715704e4588e1362c66ab9ac4d9ee54d3dd6879b080f3511c9a0112f "0x30820497020101020203030402c03004205b188250715704e4588e1362c66ab9ac4d9ee54d3dd6879b080f3511c9a0112f04301e2fc32854abd41277e5335eac92c221d0d2dc0400a377521212554de2e8c05384d7291d70403290a7e9b4e0376f60dda1060204687cdec1a2050203015180a3820402308203fe308202e6a003020102020102300d06092a864886f70d01010b0500308185310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673118301606035504030c0f667265652e6c6f6c692e6c6f63616c301e170d3235303532373037303732315a170d3235303732363037303732315a306c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e310f300d06035504030c066c6f6c69746f3124302206092a864886f70d0109011615757365726473647364406578616d706c652e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100d33575358e628bacdc3f4a81b3950808552d918ab197a30328ca140928d61ceb0a4c73ca9948816c42110f572660c422bbb9a7bca8c07666a30b9bf3a885b71225d5923a4a7cf67d16aff4adf512a937651650c50dffe24165deefcfda900317370525085d490d36217e1749cc4dfd8877efd946f7cea82fb7d089b60461d38986d6e718a345c78c427bc4448097df7b040cf56e325c151e121a27fafd31aa277b96f9e2a55cc2aa56d5ada0a2122e25760a8bac1e2fea7b87538fd68454fe48bc71cd17a7fdb5cf581069b55a53b3ff8b0bc7fe1186f1d7d4e7f95bda29cb60bf61586c06412da8a3cab742c8fc8389486ba8417fafb48ee46398e2be3119690203010001a3819030818d30130603551d25040c300a06082b0601050507030230360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c301d0603551d0e04160414fdd342c84af10c65a5a3b68e2a73b0fab20dcfcd301f0603551d2304183016801486bc404a6eb2660281a57519df93b8ad12757560300d06092a864886f70d01010b05000382010100a7aa375b9089fccfda8c5d7400bb617d7fcc04239f7ae7df3e0fd8c9a8f880536208ef12512d631cb7600beefde5c2521318eb76cca8b23e47cd4f21bcbdd745e6fda94a62285a3f79ebdefcbba7194fdfc562cd50ad5f7ef9a501ba6c0b2b28de4661165879e576b9e765283c37bc679fa91d33377b87202fb61ad527b7eff38f015fd38dc8d683ccc2c793abb443af69b60f280ec2012b515b0dbb78ac7b9eb9cdd6203e5a246f6ec79835bab59528ba48858ee80d3250ddf1d52d181e10897073e021211e1cbc8e2cc8f4c3b17b23f43a8801ced77e6ed9552f3da07e184150835464fe07aeb0f39357d362419b9bd6eadbe2b05c4dda267fd18bfee1df5ca4170415465220656170203078353539306563323262646330ad03020101b303020117" (9) eap_ttls: (TLS) EAP Done initial handshake (9) eap_ttls: (TLS) TTLS - Handshake state - before SSL initialization (9) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization (9) eap_ttls: (TLS) TTLS - Handshake state - Server before SSL initialization (9) eap_ttls: (TLS) TTLS - recv TLS 1.3 Handshake, ClientHello (9) eap_ttls: Peer requested cached session: ad0985c9cf07b899bb929529c09ca161d27bd690af1be4acb1c29a5fa0545ea0 (0) cache load { (0) update { rlm_redis (redis): Reserved connection (1) rlm_redis (redis): executing the query: "GET 0xad0985c9cf07b899bb929529c09ca161d27bd690af1be4acb1c29a5fa0545ea0" rlm_redis (redis): Released connection (1) (0) EXPAND %{redis:GET %{request:TLS-Session-ID}} (0) --> 0x308191020101... (truncated) (0) &Tmp-String-0 := 0x308191020101... (0) } # update = noop (0) if (!&Tmp-String-0 || &Tmp-String-0 =~ /\|/) { (0) if (!&Tmp-String-0 || &Tmp-String-0 =~ /\|/) -> FALSE (0) update { (0) EXPAND %{Tmp-String-0} (0) --> 0x308191020101... (0) &session-state:TLS-Session-Data := 0x308191020101... (0) } # update = noop (0) } # cache load = noop (9) eap_ttls: Successfully restored session ad0985c9cf07b899bb929529c09ca161d27bd690af1be4acb1c29a5fa0545ea0 I didn't post the full debug because it's very long — but if you need it, I can share it. Thanks. El dom, 20 jul 2025 a las 9:01, Alan DeKok via Freeradius-Users (< freeradius-users@lists.freeradius.org>) escribió:
On Jul 19, 2025, at 1:05 PM, Rodrigo Prieto <rodrigoprieto2019@gmail.com> wrote:
Hello, I'm currently working on configuring the TLS cache and noticed
that,
upon reconnection, the client rewrites both files (.asn1 and .vps) in the configured directory.
That's fine, If the files aren't changed, then the TLS resumption data could be used multiple times.
i.e. it could also share it with other systems, and then multiple systems could get online.
As a result, the files change every tme.
From what I understand, it should reuse the information stored in those files to avoid reestablishing the TLS connection from scratch.
Changing the files doesn't mean that it re-establishes the TLS connection from scratch.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jul 20, 2025, at 2:40 PM, Rodrigo Prieto <rodrigoprieto2019@gmail.com> wrote:
Thanks Alan for replying. I did the test using: eapol_test -r 1 -a 127.0.0.1 -c ap.conf -s testing123 and it appears that the session is reused. It works correctly with persistdir. (18) eap_tls: Peer requested cached session: 8a6b359de164537d987b6c6bb03d83fdaff91bda8ebbbd63f6a004b69aedc768
I'm trying to use Redis and the keys are being written to the server, but I'm getting the following error when using EAP-TLS. If I use TTLS-PAP, the session is cached properly.
There shouldn't be many differences between TLS and TTLS-PAP for caching.
rlm_redis (redis): executing the query: "GET 0x5b188250715704e4588e1362c66ab9ac4d9ee54d3dd6879b080f3511c9a0112f" (0) rlm_redis (redis): Can't write result, insufficient space or unsupported result
Hmm... what's likely happening here is that the session data is larger than 8K. And there are many buffers in v3 which are hard-coded to being 8K in length. I've updated v3.2.x to have a clearer message, but that won't address the issue. This issue is fixed in v4, but we'll take a look at seeing what we can do for v3. Alan DeKok.
Thanks Alan. El dom., 20 de julio de 2025 11:00, Alan DeKok <aland@deployingradius.com> escribió:
On Jul 20, 2025, at 2:40 PM, Rodrigo Prieto <rodrigoprieto2019@gmail.com> wrote:
Thanks Alan for replying. I did the test using: eapol_test -r 1 -a 127.0.0.1 -c ap.conf -s testing123 and it appears that the session is reused. It works correctly with
persistdir.
(18) eap_tls: Peer requested cached session: 8a6b359de164537d987b6c6bb03d83fdaff91bda8ebbbd63f6a004b69aedc768
I'm trying to use Redis and the keys are being written to the server, but I'm getting the following error when using EAP-TLS. If I use TTLS-PAP, the session is cached properly.
There shouldn't be many differences between TLS and TTLS-PAP for caching.
rlm_redis (redis): executing the query: "GET 0x5b188250715704e4588e1362c66ab9ac4d9ee54d3dd6879b080f3511c9a0112f" (0) rlm_redis (redis): Can't write result, insufficient space or unsupported result
Hmm... what's likely happening here is that the session data is larger than 8K. And there are many buffers in v3 which are hard-coded to being 8K in length.
I've updated v3.2.x to have a clearer message, but that won't address the issue.
This issue is fixed in v4, but we'll take a look at seeing what we can do for v3.
Alan DeKok.
participants (2)
-
Alan DeKok -
Rodrigo Prieto