Post-Autz New-TLS-Connection
Hi, In the 3.2.x branch, with the `Autz-Type New-TLS-Connection` it is possible to log the certificate details of the client trying to connect and check some additional things. Is there also a Post-Autz or something similar to log the certificate details if the client certificate has been rejected? I’m not able to find something in the documentation so the answer may be `no` but in case I’ve missed something would be great to point me to the docs. BR, Lineconnect
On Apr 29, 2024, at 6:41 AM, nabble@felix.world wrote:
In the 3.2.x branch, with the `Autz-Type New-TLS-Connection` it is possible to log the certificate details of the client trying to connect and check some additional things. Is there also a Post-Autz or something similar to log the certificate details if the client certificate has been rejected? I’m not able to find something in the documentation so the answer may be `no` but in case I’ve missed something would be great to point me to the docs.
The "linelog" module can log anything you want. There is no default built-in log methods for "failed TLS connection". You'll have to configure a special instance of the "linelog" module. Alan DeKok.
Sorry, i may have asked the question incorrectly. I was asking where I can call up the log module. When a RadSec authentication comes, the linelog module can be called in Autz-Type New-TLS-Connection. However, this section is only called if the certificate is valid. If it is not, the section is not called and I cannot execute the linelog module. BR, Lineconnect
On Apr 29, 2024, at 11:08 AM, nabble@felix.world wrote:
Sorry, i may have asked the question incorrectly. I was asking where I can call up the log module.
When a RadSec authentication comes, the linelog module can be called in Autz-Type New-TLS-Connection. However, this section is only called if the certificate is valid. If it is not, the section is not called and I cannot execute the linelog module.
Ah. There isn't a section which is run when the certificate is invalid. Alan DeKok.
Would that be a low hanging fruit on your side? The RadSec interfaces from network controllers is not always self-explaining nor the documentation is up-to-date and it would be great to see which certificate the client has used when errors like ‘unknown ca’ or ‘certificate expired’ are raised and creating a debug instance and put the server in debug mode could be avoided. I know that you’re happy to accept patches and I will also start to poke around when the time allows. BR, Lineconnect
On 29. Apr 2024, at 17:09, Alan DeKok <aland@deployingradius.com> wrote:
On Apr 29, 2024, at 11:08 AM, nabble@felix.world wrote:
Sorry, i may have asked the question incorrectly. I was asking where I can call up the log module.
When a RadSec authentication comes, the linelog module can be called in Autz-Type New-TLS-Connection. However, this section is only called if the certificate is valid. If it is not, the section is not called and I cannot execute the linelog module.
Ah. There isn't a section which is run when the certificate is invalid.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 29, 2024, at 11:21 AM, nabble@felix.world wrote:
Would that be a low hanging fruit on your side?
I'm a little swamped right now, but we'll see if I can find someone to look at it.
The RadSec interfaces from network controllers is not always self-explaining nor the documentation is up-to-date and it would be great to see which certificate the client has used when errors like ‘unknown ca’ or ‘certificate expired’ are raised and creating a debug instance and put the server in debug mode could be avoided.
Yes.
I know that you’re happy to accept patches and I will also start to poke around when the time allows.
The code in src/main/cb.c and src/main/tls.c shows it calling the ERROR() or RERROR() function for certificates which fail validation. So those errors should be logged to radiusd.log. That being said, if OpenSSL just rejects the certificate before the FreeRADIUS code is called, we might not be able to do much of anything. Run the server in debug mode to see what it does for failed certs, and then see what debug messages it produces. Then, look for those messages in the code to see what it's doing. There might be room for small easy tweaks. Alan DeKok.
participants (2)
-
Alan DeKok -
nabble@felix.world