expansion issue in external command

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Fri Jun 10 14:12:10 CEST 2011


Hi,

> > in the TLS RADSEC configuration, if I want to use OpenSSL for external
> > verification (which i cant FULLY do...but still), I get the following
> > error if I use the ${certdir} expansion - as used all throughout the
> > rest of the config
> 
>   That *should* work...

I thought it should too. however, it just complains about unknown variable.


> > (0) Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/radsec/CA.crt -purpose crlsign  %{TLS-Client-Cert-Filename}
> > (0) 	expand: %{TLS-Client-Cert-Filename} -> /etc/raddb/temporary/radiusd.client.XXP6KU60
> > Exec-Program output: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK 
> > Exec-Program-Wait: plaintext: /etc/raddb/temporary/radiusd.client.XXP6KU60: /DC=com/DC=this/DC=edu/C=GB/O=Loughborough University/CN=server.camford.ac.uk error 26 at 0 depth lookup:unsupported certificate purpose OK 
> > Exec-Program: returned: 0
> > (0) Client certificate CN server.camford.ac.uk passed external validation
> ...
> > ...I'm guessing the OK message is the issue here - the command exited OK but the condition certainly isnt.
> 
>   Isn't OpenSSL grand?  If verification fails, the command still returns
> "success".
> 
>   Crazy.
> 
>   Instead, you probably have to root through the output of OpenSSL, to
> see if it says "success" or "error".

looks that way. the output from a successful verify looks like

server.lboro.ac.uk-eduPKI.pem: OK

(and thats all, nothing else....of course, this might change with different version of OpenSSL)

alan



More information about the Freeradius-Devel mailing list