Patch freeradius-server-release_3_0_25 for choosing server certificate based on SNI in tls client hello

Natarajan M natarajan.m at
Fri Jan 21 06:53:12 UTC 2022

Freeradius provides the ability to respond with different server
certificates depending on SNI (Server-name-Indication) in the radsec's TLS
client hello msg. But this functionality didn't work (always returned
default server certificate irrespective of SNI). This is because in the
callback tls_sni_callback, conf->realms check was failing. This comes from
the tls_reals_load function in tls.c file where a hashtable is created and
entries are added but conf->realms didn't get assigned to this hashtable.
Following patch fixes the issues. Please correct if my understanding/root
cause is incorrect.

--- tls.c.orig 2022-01-21 05:51:27.428815007 +0000

+++ tls.c 2022-01-21 05:51:42.592755195 +0000

@@ -4505,7 +4505,7 @@

  goto error;




+        conf->realms = ht;

  return 0;


More information about the Freeradius-Devel mailing list