TLS configuration

Matthew Newton mcn4 at
Tue Feb 28 03:33:00 CET 2012


On Thu, Feb 09, 2012 at 04:42:31PM +0100, Alan DeKok wrote:
> Matthew Newton wrote:
> > If the tls config HAS to be called common_tls, inside the eap
> > module, then there's no need for the "tls=" entry any more - which
> > could be another way of doing it, albeit slightly less flexible.
>   There may be use-cases where multiple virtual servers can share the
> same TLS configuration.  Permitting a layer of indirection doesn't cost
> much, and is useful.

I've been a bit busy with other things, but have now got around to
doing this. There's a branch at the following URL with a set of
patches to do it.

Essentially they follow your helpful suggestions in the previous
e-mail. It's something like:

 - Rejig config and eaptls_attach to move TLS specific options out
   from EAP-TLS section
 - update eaptls_initiate to just deal with EAP-TLS, moving
   session code to libeap
 - Add TLS config parsing to EAP-PEAP attach
 - add an eappeap_initiate function
 - ditto for EAP-TTLS
 - remove the "Wild & crazy stuff" from eap.c :-)
 - tidy the config a bit and add explanatory comments.

The code also has a fallback, so if the new tls= options are not
specified it will read the config as v2.x currently does (e.g.
tls{} must exist before peap and ttls will load).

There are still a few tiny bits that are duplicated between
TLS/PEAP/TTLS, but it's a close call whether these are worth
putting into some library function, or just leaving as-is for

This lot now means that there should be no dependencies between
PEAP/TTLS and TLS, so they each stand on their own. I think from
the config perspective, it's also a lot cleaner as it's removed
the dependency where you need EAP-TLS, even though you don't
use it. It's tidied some switch()/if()s from the code, too.

> >>   The HARD thing about this is now the TLS configuration will be loaded
> >> multiple times.  Once each for EAP-TLS, TTLS, and PEAP.  Finding a way
> >> to avoid that would be good.
> > 
> > Agreed.
>   I have a simple way. :)  Get me a patch as suggested, and fixing the
> "loading certs twice" problem is another ~5 lines of code.

I did this by caching the result in tls_server_conf_parse - if
it's passed the same CONF_SECTION as the previous time, it returns
the same conf pointer. As the EAP sections are pretty much always
going to be called consecutively, this saves re-parsing each time.

It was about 5 lines of code - dunno if it was what you were
thinking or not ;-)



Matthew Newton, Ph.D. <mcn4 at>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Devel mailing list