Patch freeradius-server-release_3_0_25 for choosing server certificate based on SNI in tls client hello

Alan DeKok aland at
Fri Jan 21 14:12:51 UTC 2022

On Jan 21, 2022, at 1:53 AM, Natarajan M <natarajan.m at> wrote:
> Freeradius provides the ability to respond with different server
> certificates depending on SNI (Server-name-Indication) in the radsec's TLS
> client hello msg. But this functionality didn't work (always returned
> default server certificate irrespective of SNI). This is because in the
> callback tls_sni_callback, conf->realms check was failing. This comes from
> the tls_reals_load function in tls.c file where a hashtable is created and
> entries are added but conf->realms didn't get assigned to this hashtable.
> Following patch fixes the issues. Please correct if my understanding/root
> cause is incorrect.

  You're right.

  Thanks, I've pushed the fix.

  Alan DeKok.

More information about the Freeradius-Devel mailing list