FreeRADIUS Creates New .vps and .asn1 Files for Cached TLS Sessions Instead of Reusing Them
Hey ! I am currently using FreeRADIUS with EAP-TLS for client authentication, and I have configured a TLS session cache directory at `/var/log/freeradius/tlscache/`. However, every time a client reconnects, FreeRADIUS creates new `.vps` and `.asn1` files for each session, even though the session details remain the same. **Expected Behavior**: FreeRADIUS should reuse the cached session when a client reconnects instead of creating new cache files. **Actual Behavior**: A new pair of `.vps` and `.asn1` files is created for every connection, leading to unnecessary cache file creation and a potential performance hit. **Logs Showing the Issue**: When a client reconnects, FreeRADIUS logs indicate that it doesn’t find the cached session, even though it previously created one: For the second connection attempt: ``` (8) eap_tls: Peer requested cached session: 604b28a21b0839df85aac31a93fc59ae1efa3f58781088cb0df999c05fa9d01b (8) eap_tls: WARNING: (TLS) TLS - No persisted session file /var/log/freeradius/tlscache/604b28a21b0839df85aac31a93fc59ae1efa3f58781088cb0df999c05fa9d01b.asn1: No such file or directory (8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client hello ``` Then it recreates the session file: ``` (8) eap_tls: Serialising session 1dc61483794f1ea87b11939de76614a292e31d04f0fe045ce1ba9369158ff549, and storing in cache (8) eap_tls: WARNING: (TLS) TLS - Wrote session 1dc61483794f1ea87b11939de76614a292e31d04f0fe045ce1ba9369158ff549 to /var/log/freeradius/tlscache/1dc61483794f1ea87b11939de76614a292e31d04f0fe045ce1ba9369158ff549.asn1 (1641 bytes) ``` **Sample Cached Session Files**: Here are two examples of the `.vps` files generated for the same client: First `.vps` file: ``` # SSL cached session e6c48d5b37efbac1c4c1ec7604cb29a0030f0c6e22c304567c885f61147ea693 EAP-Type = TLS, TLS-Cert-Serial := "6b92ee8fe3454c9b47b46b05a3e74566", ... ``` Second `.vps` file (after reconnection): ``` # SSL cached session e1103d784da8d948197c0346232a22e98863d5d366a75b95f15529622b34f95c EAP-Type = TLS, TLS-Cert-Serial := "6b92ee8fe3454c9b47b46b05a3e74566", ... ``` As you can see, the session details are identical, but a new cache file is created each time. **Environment**: - FreeRADIUS version: 3.2.6 - EAP-TLS with TLS 1.2 - OS: Debian - TLS cache location: `/var/log/freeradius/tlscache/` Why is FreeRADIUS not reusing the cached session and instead creating new cached session files for every connection attempt? Is there a configuration issue or a potential bug that might be causing this? Thanks for any tips!
On Sep 12, 2024, at 10:20 AM, Luca Borruto via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hey ! I am currently using FreeRADIUS with EAP-TLS for client authentication, and I have configured a TLS session cache directory at `/var/log/freeradius/tlscache/`. However, every time a client reconnects, FreeRADIUS creates new `.vps` and `.asn1` files for each session, even though the session details remain the same.
If it creates new cache files, then the session details aren't the same.
**Expected Behavior**: FreeRADIUS should reuse the cached session when a client reconnects instead of creating new cache files.
**Actual Behavior**: A new pair of `.vps` and `.asn1` files is created for every connection, leading to unnecessary cache file creation and a potential performance hit.
**Logs Showing the Issue**: When a client reconnects, FreeRADIUS logs indicate that it doesn’t find the cached session, even though it previously created one:
FreeRADIUS isn't at fault here. If the the client reconnects and uses session resumption, then the client sends the session ticket to FreeRADIUS. This must be the same session ticket which it received fly FreeRADIUS in the previous session.
For the second connection attempt: ``` (8) eap_tls: Peer requested cached session: 604b28a21b0839df85aac31a93fc59ae1efa3f58781088cb0df999c05fa9d01b (8) eap_tls: WARNING: (TLS) TLS - No persisted session file /var/log/freeradius/tlscache/604b28a21b0839df85aac31a93fc59ae1efa3f58781088cb0df999c05fa9d01b.asn1: No such file or directory
What's going on here is: 1) something on the FreeRADIUS system is cleaned up the cache files, so that's why they don't exist. FreeRADIUS doesn't do this by default, so it's something else. 2) the client is send an old / wrong session ticket.
(8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client hello ```
Then it recreates the session file:
No, it creates a *different* session file, with a *different* key. Session files are keyed by the session ticket. That's how the sessions are identified. There's no other magic token saying "it's the same session". The only token is the session ticket.
Why is FreeRADIUS not reusing the cached session and instead creating new cached session files for every connection attempt? Is there a configuration issue or a potential bug that might be causing this?
Session resumption works when: 1) nothing else deletes the cache files 2) the client gets the session ticket from FreeRADIUS, and then returns the *same* session ticket when doing session resumption. Alan DeKok.
participants (2)
-
Alan DeKok -
Luca Borruto