expansion issue in external command
Alan DeKok
aland at deployingradius.com
Fri Jun 10 13:22:09 CEST 2011
Alan Buxey wrote:
> in the TLS RADSEC configuration, if I want to use OpenSSL for external
> verification (which i cant FULLY do...but still), I get the following
> error if I use the ${certdir} expansion - as used all throughout the
> rest of the config
That *should* work...
> there appears to be another issue too... if i say that the cert must be valid for a purpose and its not valid for
> the purpose then it passes the test anyway(!) thats not what I had in mind ;-)
>
> (0) Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/radsec/CA.crt -purpose crlsign %{TLS-Client-Cert-Filename}
> (0) expand: %{TLS-Client-Cert-Filename} -> /etc/raddb/temporary/radiusd.client.XXP6KU60
> Exec-Program output: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK
> Exec-Program-Wait: plaintext: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK
> Exec-Program: returned: 0
> (0) Client certificate CN server.camford.ac.uk passed external validation
...
> ...I'm guessing the OK message is the issue here - the command exited OK but the condition certainly isnt.
Isn't OpenSSL grand? If verification fails, the command still returns
"success".
Crazy.
Instead, you probably have to root through the output of OpenSSL, to
see if it says "success" or "error".
Alan DeKok.
More information about the Freeradius-Devel
mailing list