3.2.0: TLS-* attributes for incoming and outgoing RadSec connections
Hello, while playing with RadSec inbound and outbound I noticed that for both directions, the cert properties of the other end are stored in a series of TLS-Client-Cert-* attributes. But when initiating an outbound connection, these attributes store the properties of the *server* we are contacting, while the name suggests something about client (which would be our own cert, which is useless). Example: (TLS) Trying new outgoing proxy connection to proxy (0.0.0.0, 0) -> home_server (145.100.189.5, 2083) Requiring Server certificate [...] (0) TLS-Client-Cert-Common-Name := "slagroom.eduroam.nl" That should really be TLS-Server-Cert-Common-Name (same goes for all other properties of course). In the other direction, i.e. when serving an incoming client connection, the use of the -Client- attributes is of course semantically correct. Could these attributes be duplicated for -Server and be populated as such during outbound connections? Greetings, Stefan Winter -- This email may contain information for limited distribution only, please treat accordingly. Fondation Restena, Stefan WINTER Chief Technology Officer 2, avenue de l'Université L-4365 Esch-sur-Alzette
On Jun 3, 2022, at 4:48 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
while playing with RadSec inbound and outbound I noticed that for both directions, the cert properties of the other end are stored in a series of TLS-Client-Cert-* attributes.
Hm... that seems wrong.
But when initiating an outbound connection, these attributes store the properties of the *server* we are contacting, while the name suggests something about client (which would be our own cert, which is useless).
The implementation looks at where the certificates are in the chain, as supplied by OpenSSL. I guess it passes the certificates in a different order for outgoing connections? Or maybe if you're not supplying a client cert, the other end server cert shows up at offset 0, which is typically the client cert. So are you using a client cert for radsec?
Example:
(TLS) Trying new outgoing proxy connection to proxy (0.0.0.0, 0) -> home_server (145.100.189.5, 2083) Requiring Server certificate
[...]
(0) TLS-Client-Cert-Common-Name := "slagroom.eduroam.nl"
That should really be TLS-Server-Cert-Common-Name (same goes for all other properties of course).
I agree.
Could these attributes be duplicated for -Server and be populated as such during outbound connections?
I don't want to change existing behavior, but we can add a configuration flag saying "whoops, use a better order". I'll take a look. Alan DeKok.
Hi,
The implementation looks at where the certificates are in the chain, as supplied by OpenSSL. I guess it passes the certificates in a different order for outgoing connections?
Or maybe if you're not supplying a client cert, the other end server cert shows up at offset 0, which is typically the client cert.
So are you using a client cert for radsec?
Yes.
Could these attributes be duplicated for -Server and be populated as such during outbound connections? I don't want to change existing behavior, but we can add a configuration flag saying "whoops, use a better order".
Sure, that's fine. Here is the full debug output, from dynamic discover to final response, if that's useful; one can see a bit of confusion... the "server" certificate attribs get populated with a few *issuer* certificate details; and then the "client" certificate ones get the server cert. Ready to process requests Thread 1 waiting to be assigned a request Threads: total/active/spare threads = 5/0/5 Waking up in 0.3 seconds. Thread 5 got semaphore Thread 5 handling request 0, (1 handled so far) (0) Received Access-Request Id 145 from 127.0.0.1:46707 to 127.0.0.1:11812 length 108 (0) User-Name = "stefan@guest.showcase.surfnet.nl" (0) User-Password = "test123" (0) NAS-IP-Address = 158.64.1.52 (0) NAS-Port = 123 (0) Message-Authenticator = 0xfff0d0edbfc17b2c225243ae784db5f0 (0) Framed-Protocol = PPP (0) # Executing section authorize from file /opt/freeradius/3.2.0/etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "guest.showcase.surfnet.nl" for User-Name = "stefan@guest.showcase.surfnet.nl" (0) suffix: No such realm "guest.showcase.surfnet.nl" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) if (User-Name =~ /@(.*)$/) { (0) if (User-Name =~ /@(.*)$/) -> TRUE (0) if (User-Name =~ /@(.*)$/) { (0) switch %{home_server_dynamic:%{1}} { (0) EXPAND %{home_server_dynamic:%{1}} (0) --> (0) case { (0) if (!control:Proxy-To-Realm) { (0) if (!control:Proxy-To-Realm) -> TRUE (0) if (!control:Proxy-To-Realm) { (0) update control { (0) Executing: %{config:prefix}/bin/naptr-eduroam-freeradius.sh %{1} %{config:prefix}: (0) EXPAND prefix (0) --> prefix (0) EXPAND %{config:prefix}/bin/naptr-eduroam-freeradius.sh (0) --> /opt/freeradius/3.2.0/bin/naptr-eduroam-freeradius.sh (0) EXPAND %{1} (0) --> guest.showcase.surfnet.nl (0) EXPAND prefix (0) --> prefix (0) EXPAND %{config:prefix} (0) --> /opt/freeradius/3.2.0 ... new connection request on command socket Listening on command file /opt/freeradius/3.2.0/var/run/radiusd/radiusd.sock Waking up in 0.1 seconds. radmin> add home_server file /opt/freeradius/3.2.0/etc/raddb/home_servers/guest.showcase.surfnet.nl including configuration file /opt/freeradius/3.2.0/etc/raddb/home_servers/guest.showcase.surfnet.nl home_server guest.showcase.surfnet.nl { ipaddr = roomkaas.eduroam.nl IPv4 address [145.100.189.5] port = 2083 type = "auth" proto = "tcp" secret = <<< secret >>> response_window = 30.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 300 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } recv_coa { } } tls { verify_depth = 0 ca_path = "/usr/local/radsecproxy/config/certs/ca/" pem_file_type = yes private_key_file = "/usr/local/radsecproxy/config/certs/tld1.eduroam.lu.key" certificate_file = "/usr/local/radsecproxy/config/certs/tld1.eduroam.lu.pem" fragment_size = 1024 include_length = yes check_crl = no ca_path_reload_interval = 0 ecdh_curve = "prime256v1" tls_min_version = "1.2" } tls: Cannot set DH parameters. DH cipher suites may not work. Waking up in 0.1 seconds. ... shutting down socket command file /opt/freeradius/3.2.0/var/run/radiusd/radiusd.sock Waking up in 0.1 seconds. (0) Program returned code (0) and output 'home_server guest.showcase.surfnet.nl { ipaddr = roomkaas.eduroam .nl port = 2083 proto = tcp type = auth secret = radsec tls { certificate_file = /usr/local/rads ecproxy/config/certs/tld1.eduroam.lu.pem private_key_file = /usr/local/radsecproxy/config/certs/tld1.eduroam.lu.key ca_path = /usr/local/radsecproxy/config/certs/ca/ } }' (0) &Tmp-String-1 := home_server guest.showcase.surfnet.nl { ipaddr = roomkaas.eduroam.nl port = 2083 pr oto = tcp type = auth secret = radsec tls { certificate_file = /usr/local/radsecproxy/config/certs/tld 1.eduroam.lu.pem private_key_file = /usr/local/radsecproxy/config/certs/tld1.eduroam.lu.key ca_path = /usr/local/radsecproxy/config/certs/ca/ } } (0) } # update control = noop (0) if ("%{control:Tmp-String-1}" == "" ) { (0) if ("%{control:Tmp-String-1}" == "" ) -> FALSE (0) else { (0) update control { (0) EXPAND %{1} (0) --> guest.showcase.surfnet.nl (0) &Home-Server-Name := guest.showcase.surfnet.nl (0) } # update control = noop (0) } # else = noop (0) } # if (!control:Proxy-To-Realm) = noop (0) } # case = noop (0) } # switch %{home_server_dynamic:%{1}} = noop (0) } # if (User-Name =~ /@(.*)$/) = noop (0) } # authorize = ok (0) Proxying due to Home-Server-Name (0) Starting proxy to home server 145.100.189.5 port 2083 (0) server default { (0) } (TLS) Trying new outgoing proxy connection to proxy (0.0.0.0, 0) -> home_server (145.100.189.5, 2083) Requiring Server certificate (0) (TLS) Handshake state - before/connect initialization (0) (TLS) Handshake state - Client before/connect initialization (0) (TLS) send TLS 1.2 Handshake, ClientHello (0) (TLS) Handshake state - Client SSLv2/v3 write client hello A (0) (TLS) recv TLS 1.2 Handshake, ServerHello (0) (TLS) Handshake state - Client SSLv3 read server hello A (0) (TLS) recv TLS 1.2 Handshake, Certificate (0) (TLS) Creating attributes from server certificate (0) TLS-Cert-Serial := "01" (0) TLS-Cert-Expiration := "301103101536Z" (0) TLS-Cert-Valid-Since := "101108101536Z" (0) TLS-Cert-Subject := "/DC=org/DC=edupki/CN=eduPKI CA G 01" (0) TLS-Cert-Issuer := "/DC=org/DC=edupki/CN=eduPKI CA G 01" (0) TLS-Cert-Common-Name := "eduPKI CA G 01" (0) (TLS) Creating attributes from client certificate (0) TLS-Client-Cert-Serial := "24277d01429f0b25f81d4b36" (0) TLS-Client-Cert-Expiration := "260119100121Z" (0) TLS-Client-Cert-Valid-Since := "210120100121Z" (0) TLS-Client-Cert-Subject := "/DC=net/DC=geant/DC=eduroam/C=NL/O=SURF/CN=slagroom.eduroam.nl" (0) TLS-Client-Cert-Issuer := "/DC=org/DC=edupki/CN=eduPKI CA G 01" (0) TLS-Client-Cert-Common-Name := "slagroom.eduroam.nl" (0) TLS-Client-Cert-Subject-Alt-Name-Dns := "kookroom.eduroam.nl" (0) TLS-Client-Cert-Subject-Alt-Name-Dns := "roomkaas.eduroam.nl" (0) TLS-Client-Cert-Subject-Alt-Name-Dns := "slagroom.eduroam.nl" (0) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE" (0) TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, TLS Web Server Authentication" (0) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "47:99:74:7C:72:47:14:93:12:67:78:B4:D5:FE:79:F5:DD:7A:5C:58" (0) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:D2:F2:23:BD:4A:A1:7F:CF:A0:58:84:EB:FC:E6:5B:08:B3:CD:B4:E4\n" (0) TLS-Client-Cert-X509v3-Certificate-Policies += "Policy: 1.3.6.1.4.1.27262.1.13.1.1\nPolicy: 1.3.6.1.4.1.27262.1.13.1.1.1.4\n Policy: 1.3.6.1.4.1.25178.3.1.1\nPolicy: 1.3.6.1.4.1.25178.3.1.2\nPolicy: 1.3.6.1.4.1.27262.1.13.2.1.1.8\n" (0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.1" (0) (TLS) Handshake state - Client SSLv3 read server certificate A (0) (TLS) recv TLS 1.2 Handshake, CertificateRequest (0) (TLS) Handshake state - Client SSLv3 read server certificate request A (0) (TLS) recv TLS 1.2 Handshake, ServerHelloDone (0) (TLS) Handshake state - Client SSLv3 read server done A (0) (TLS) send TLS 1.2 Handshake, Certificate (0) (TLS) Handshake state - Client SSLv3 write client certificate A (0) (TLS) send TLS 1.2 Handshake, ClientKeyExchange (0) (TLS) Handshake state - Client SSLv3 write client key exchange A (0) (TLS) send TLS 1.2 Handshake, CertificateVerify (0) (TLS) Handshake state - Client SSLv3 write certificate verify A (0) (TLS) send TLS 1.2 ChangeCipherSpec (0) (TLS) Handshake state - Client SSLv3 write change cipher spec A (0) (TLS) send TLS 1.2 Handshake, Finished (0) (TLS) Handshake state - Client SSLv3 write finished A (0) (TLS) Handshake state - Client SSLv3 flush data (0) (TLS) recv TLS 1.2 ChangeCipherSpec (0) (TLS) recv TLS 1.2 Handshake, Finished (0) (TLS) Handshake state - Client SSLv3 read finished A (0) (TLS) Handshake state - SSL negotiation finished successfully Listening on proxy (158.64.1.52, 52959) -> home_server (145.100.189.5, 2083) Waking up in 0.1 seconds. (0) Proxying request to home server 145.100.189.5 port 2083 (TLS) timeout 30.000000 (0) Sent Access-Request Id 187 from 158.64.1.52:52959 to 145.100.189.5:2083 length 125 (0) User-Name = "stefan@guest.showcase.surfnet.nl" (0) User-Password = "test123" (0) NAS-IP-Address = 158.64.1.52 (0) NAS-Port = 123 (0) Message-Authenticator = 0xfff0d0edbfc17b2c225243ae784db5f0 (0) Framed-Protocol = PPP (0) Service-Type = Framed-User (0) Event-Timestamp = "Jun 3 2022 15:24:51 CEST" (0) Proxy-State = 0x313435 Thread 5 waiting to be assigned a request (0) Marking home server 145.100.189.5 port 2083 alive Waking up in 0.3 seconds. Thread 4 got semaphore Thread 4 handling request 0, (1 handled so far) (0) Clearing existing &reply: attributes (0) Received Access-Reject Id 187 from 145.100.189.5:2083 to 158.64.1.52:52959 length 59 (0) Reply-Message = "Request Denied" (0) Message-Authenticator = 0xe95018c5f256990b9ba4fd5b3b5eafde (0) Proxy-State = 0x313435 (0) server default { (0) # Executing section post-proxy from file /opt/freeradius/3.2.0/etc/raddb/sites-enabled/default (0) post-proxy { (0) eap: No pre-existing handler found (0) [eap] = noop (0) } # post-proxy = noop (0) } (0) Using Post-Auth-Type Reject (0) # Executing group from file /opt/freeradius/3.2.0/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> stefan@guest.showcase.surfnet.nl (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Thread 4 waiting to be assigned a request Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 145 from 127.0.0.1:11812 to 127.0.0.1:46707 length 54 (0) Reply-Message = "Request Denied" (0) Message-Authenticator = 0xe95018c5f256990b9ba4fd5b3b5eafde Waking up in 1.9 seconds. ... cleaning up socket command file /opt/freeradius/3.2.0/var/run/radiusd/radiusd.sock Waking up in 2.0 seconds. (0) Cleaning up request packet ID 145 with timestamp +2 due to cleanup_delay was reached Ready to process requests
I'll take a look.
Alan DeKok.
- List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html
-- This email may contain information for limited distribution only, please treat accordingly. Fondation Restena, Stefan WINTER Chief Technology Officer 2, avenue de l'Université L-4365 Esch-sur-Alzette
On Jun 3, 2022, at 9:32 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
Here is the full debug output, from dynamic discover to final response, if that's useful; one can see a bit of confusion... the "server" certificate attribs get populated with a few *issuer* certificate details; and then the "client" certificate ones get the server cert.
OK, so OpenSSL gives us a certificate chain: incoming [0] = client cert [1] = server [2] = issuer... outgoing no client cert, you already have that! [0] = server [1] = issuer I'll poke it and see what I can come up with. Alan DeKok.
participants (2)
-
Alan DeKok -
Stefan Winter