Patch freeradius-server-release_3_0_25 for choosing server certificate based on SNI in tls client hello
Natarajan M
natarajan.m at gmail.com
Fri Jan 21 06:53:12 UTC 2022
Freeradius provides the ability to respond with different server
certificates depending on SNI (Server-name-Indication) in the radsec's TLS
client hello msg. But this functionality didn't work (always returned
default server certificate irrespective of SNI). This is because in the
callback tls_sni_callback, conf->realms check was failing. This comes from
the tls_reals_load function in tls.c file where a hashtable is created and
entries are added but conf->realms didn't get assigned to this hashtable.
Following patch fixes the issues. Please correct if my understanding/root
cause is incorrect.
--- tls.c.orig 2022-01-21 05:51:27.428815007 +0000
+++ tls.c 2022-01-21 05:51:42.592755195 +0000
@@ -4505,7 +4505,7 @@
goto error;
}
}
-
+ conf->realms = ht;
return 0;
}
More information about the Freeradius-Devel
mailing list