query on freeradius-server ocsp function and rlm_unbound
Hello, My name is Simon and I am new to this group. I have some basic queries regarding the ocsp functionality in freeradius-server code. I am referring to the file freeradius-server-3.0.17/src/main/tls.c with below code sample. RDEBUG2("ocsp: Using responder URL \"http://%s:%s%s\"", host, port, path); /* Check host and port length are sane, then create Host: HTTP header */ if ((strlen(host) + strlen(port) + 2) > sizeof(hostheader)) { RWDEBUG("ocsp: Host and port too long"); goto skipped; } snprintf(hostheader, sizeof(hostheader), "%s:%s", host, port); /* Setup BIO socket to OCSP responder */ cbio = BIO_new_connect(host); 1. How are we resolving the OCSP responder IP address from the name server ? Are we using DNS/DNSSEC (unbound APIs) ? 2. Do we really need to do DNSSEC validation for resolving OCSP domain names? 3. May I know in which file the BIO_ APIs are implemented? 4. what is the use of the rlm_unbound module in freeradius-server package? Can I use it for resolving OCSP name servers? If so, May I know the process to use it. Thank you for you time. Regards Simon
On Aug 19, 2020, at 12:55 AM, SIMON BABY <simonkbaby@gmail.com> wrote:
My name is Simon and I am new to this group. I have some basic queries regarding the ocsp functionality in freeradius-server code.
I am referring to the file freeradius-server-3.0.17/src/main/tls.c with below code sample.
RDEBUG2("ocsp: Using responder URL \"http://%s:%s%s\"", host, port, path);
/* Check host and port length are sane, then create Host: HTTP header */ if ((strlen(host) + strlen(port) + 2) > sizeof(hostheader)) { RWDEBUG("ocsp: Host and port too long"); goto skipped; } snprintf(hostheader, sizeof(hostheader), "%s:%s", host, port);
/* Setup BIO socket to OCSP responder */ cbio = BIO_new_connect(host);
1. How are we resolving the OCSP responder IP address from the name server
All of the DNS resolving is done in the BIO_new_connect() API.
? Are we using DNS/DNSSEC (unbound APIs) ?
No.
2. Do we really need to do DNSSEC validation for resolving OCSP domain names?
No.
3. May I know in which file the BIO_ APIs are implemented?
OpenSSL. Search online for BIO_new_connect(), and you'll get lots of OpenSSL documentation.
4. what is the use of the rlm_unbound module in freeradius-server package?
So that you can create RADIUS attributes which contain DNS names.
Can I use it for resolving OCSP name servers?
No. All of the DNS resolution is buried inside of OpenSSL. The short answer here is that you don't need asynchronous DNS resolution. You need a DNS server which is fast, and which stays up. If RADIUS is a critical production system, then everything it needs is critical, too. You can't take down systems needed by RADIUS, and expect the RADIUS server to do... what, exactly? Stay up? Keep running? This goes for DNS, databases, etc. There's only so much you can do in a RADIUS server to work around the issue of "something I need is down". Alan DeKok.
Thank you Alan . Regards Simon On Wednesday, August 19, 2020, Alan DeKok <aland@deployingradius.com> wrote:
On Aug 19, 2020, at 12:55 AM, SIMON BABY <simonkbaby@gmail.com> wrote:
My name is Simon and I am new to this group. I have some basic queries regarding the ocsp functionality in freeradius-server code.
I am referring to the file freeradius-server-3.0.17/src/main/tls.c with below code sample.
RDEBUG2("ocsp: Using responder URL \"http://%s:%s%s\"", host, port, path);
/* Check host and port length are sane, then create Host: HTTP header */ if ((strlen(host) + strlen(port) + 2) > sizeof(hostheader)) { RWDEBUG("ocsp: Host and port too long"); goto skipped; } snprintf(hostheader, sizeof(hostheader), "%s:%s", host, port);
/* Setup BIO socket to OCSP responder */ cbio = BIO_new_connect(host);
1. How are we resolving the OCSP responder IP address from the name server
All of the DNS resolving is done in the BIO_new_connect() API.
? Are we using DNS/DNSSEC (unbound APIs) ?
No.
2. Do we really need to do DNSSEC validation for resolving OCSP domain names?
No.
3. May I know in which file the BIO_ APIs are implemented?
OpenSSL. Search online for BIO_new_connect(), and you'll get lots of OpenSSL documentation.
4. what is the use of the rlm_unbound module in freeradius-server package?
So that you can create RADIUS attributes which contain DNS names.
Can I use it for resolving OCSP name servers?
No. All of the DNS resolution is buried inside of OpenSSL.
The short answer here is that you don't need asynchronous DNS resolution. You need a DNS server which is fast, and which stays up.
If RADIUS is a critical production system, then everything it needs is critical, too. You can't take down systems needed by RADIUS, and expect the RADIUS server to do... what, exactly? Stay up? Keep running?
This goes for DNS, databases, etc. There's only so much you can do in a RADIUS server to work around the issue of "something I need is down".
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Hi Alan, I was looking into the openssl code flow to understand how the DNS resolution is handled inside OpenSSL. I see the API below but could not find the final DNS resolution code. Could you please send me some part of the code/APIs/files I can start looking into? BIO_new_connect calls BIO_new() and BIO_set_conn_hostname() which is defined as below. #define BIO_set_conn_hostname( b <https://docs.huihoo.com/doxygen/openssl/1.0.1c/des_8c.html#af55342ae4b8be9b599750497bddc6687> , name ) BIO_ctrl <https://docs.huihoo.com/doxygen/openssl/1.0.1c/include_2openssl_2bio_8h.html#a4848f0780343771e303f41c997b53248> (b <https://docs.huihoo.com/doxygen/openssl/1.0.1c/des_8c.html#af55342ae4b8be9b599750497bddc6687> ,BIO_C_SET_CONNECT <https://docs.huihoo.com/doxygen/openssl/1.0.1c/include_2openssl_2bio_8h.html#a7cd7a9876a0044cfbc16aa3e08b95687>,0,(char *)name) . BIO_ctrl() is defined in the file crypto/bio/bio_lib.c. long BIO_ctrl <https://docs.huihoo.com/doxygen/openssl/1.0.1c/crypto_2bio_2bio_8h.html#a4848f0780343771e303f41c997b53248> (BIO <https://docs.huihoo.com/doxygen/openssl/1.0.1c/structbio__st.html> *b, int cmd, long larg, void *parg) Thank you for your great help Regards Simon On Wed, Aug 19, 2020 at 7:00 AM SIMON BABY <simonkbaby@gmail.com> wrote:
Thank you Alan .
Regards Simon
On Wednesday, August 19, 2020, Alan DeKok <aland@deployingradius.com> wrote:
On Aug 19, 2020, at 12:55 AM, SIMON BABY <simonkbaby@gmail.com> wrote:
My name is Simon and I am new to this group. I have some basic queries regarding the ocsp functionality in freeradius-server code.
I am referring to the file freeradius-server-3.0.17/src/main/tls.c with below code sample.
RDEBUG2("ocsp: Using responder URL \"http://%s:%s%s\"", host, port, path);
/* Check host and port length are sane, then create Host: HTTP header */ if ((strlen(host) + strlen(port) + 2) > sizeof(hostheader)) { RWDEBUG("ocsp: Host and port too long"); goto skipped; } snprintf(hostheader, sizeof(hostheader), "%s:%s", host, port);
/* Setup BIO socket to OCSP responder */ cbio = BIO_new_connect(host);
1. How are we resolving the OCSP responder IP address from the name server
All of the DNS resolving is done in the BIO_new_connect() API.
? Are we using DNS/DNSSEC (unbound APIs) ?
No.
2. Do we really need to do DNSSEC validation for resolving OCSP domain names?
No.
3. May I know in which file the BIO_ APIs are implemented?
OpenSSL. Search online for BIO_new_connect(), and you'll get lots of OpenSSL documentation.
4. what is the use of the rlm_unbound module in freeradius-server package?
So that you can create RADIUS attributes which contain DNS names.
Can I use it for resolving OCSP name servers?
No. All of the DNS resolution is buried inside of OpenSSL.
The short answer here is that you don't need asynchronous DNS resolution. You need a DNS server which is fast, and which stays up.
If RADIUS is a critical production system, then everything it needs is critical, too. You can't take down systems needed by RADIUS, and expect the RADIUS server to do... what, exactly? Stay up? Keep running?
This goes for DNS, databases, etc. There's only so much you can do in a RADIUS server to work around the issue of "something I need is down".
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SIMON BABY <simonkbaby@gmail.com> wrote:
I was looking into the openssl code flow to understand how the DNS resolution is handled inside OpenSSL. I see the API below but could not find the final DNS resolution code. Could you please send me some part of the code/APIs/files I can start looking into?
It is almost certain that openSSL uses OS services to resolve. If your RADIUS server does not need to look up non-DNSSec hostnames, you could shortcut this whole problem by setting up the server to use unbound as its local DNS resolver and configuring it to secure-only lookups, or point it to an unbound resolver on another (securely connected) machine which is configured as such. You'd probably want to ask on an OpenSSL group for answers to those other questions.
Thank you Julin Regards Simon On Wed, Aug 19, 2020 at 12:06 PM Brian Julin <BJulin@clarku.edu> wrote:
SIMON BABY <simonkbaby@gmail.com> wrote:
I was looking into the openssl code flow to understand how the DNS resolution is handled inside OpenSSL. I see the API below but could not find the final DNS resolution code. Could you please send me some part of the code/APIs/files I can start looking into?
It is almost certain that openSSL uses OS services to resolve. If your RADIUS server does not need to look up non-DNSSec hostnames, you could shortcut this whole problem by setting up the server to use unbound as its local DNS resolver and configuring it to secure-only lookups, or point it to an unbound resolver on another (securely connected) machine which is configured as such.
You'd probably want to ask on an OpenSSL group for answers to those other questions.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Brian Julin -
SIMON BABY