Additional EAP-TLS Logging Option

Alan DeKok aland at
Tue Sep 7 17:25:55 CEST 2010

Ross, Michael wrote:
> Alan DeKok wrote:
>>  Sorry for not responding earlier.  A variant of the patch has been added.  See the v2.1.x branch on
>>  The patch creates client/server attributes from the certificate fields.  These attributes can be used for anything: policies, *or* logging.
> I've been playing around with this and the attached patch fixes a few issues.  The issues were:
> - missing 'i' in Expiration
> - sprintf in serial number printing was using buf instead of p
> - array index for subject and issuer storage were reversed

  OK.  Fixed that, thanks.

> I also changed the lookup logic to only log the issueing CA and the client CA, except for when the session is going to fail due to a certificate error.  The previous logic only recorded the root CA certificate, which in my opinion isn't as valuable as the issueing CA since most servers will be set up allowing a limited number of root CAs.  A few root CAs could expand into a large number of issuing CAs.

  That's better, yes.

  My only issue with the patch is that there's an "if (lookup <= 1)"
around the code which grabs the issuer.  Then later, the issuer field is

  It would be better to move that check to just surround the code which
creates the TLS-Cert-* attributes.  I've done that.  See the v2.1.x branch.

  If there are no further issues, we should be able to release 2.1.10
soon.  This certificate patch is very, very, useful.

  Alan DeKok.

More information about the Freeradius-Devel mailing list