Regarding backport fix of https://github.com/FreeRADIUS/freeradius-server/issues/3501 to 3.0.x branches.
saurabha badhai
saurabha.badhai at gmail.com
Tue Jun 6 09:19:41 UTC 2023
Yes I am using RADSEC which uses TLS. I see in TLS establishment procedure
first part is TCP connection and then starts TLS handshake to make a secure
connection.
I am facing an issue in the first part in TCP connect, thread get stuck
here in *fr_socket_client_tcp and *does not come out for 2 mins if AAA
server is down or network is unavailable which impacts other radius
messages to process around that time. This blocks the complete server to
process any message.
My doubt is whether this TCP blocking for 2 mins before the TLS handshake
procedure gets fixed with this TLS non-blocking PRs ?
Thanks,
Saurabha
On Tue, Jun 6, 2023 at 11:32 AM Alan DeKok <aland at deployingradius.com>
wrote:
> On Jun 6, 2023, at 7:57 AM, saurabha badhai <saurabha.badhai at gmail.com>
> wrote:
> >
> > Yes got it, so in TLS connection, TCP connect can be used as non-Blocking
> > mode now with the PR #5013 without any issue, Could you please confirm ?
>
> If you read the code, you'll see that bare TCP cannot be used in
> non-blocking mode.
>
> The non-blocking code uses the internal TLS buffers to write data when
> the TCP connection is blocked. Those TLS buffers don't exist for
> RADIUS/TCP. So they're not used.
>
> In short: don't use RADIUS/TCP. It's insecure. It offers no value over
> RADIUS/UDP, or RADIUS/TLS.
>
> Just use RADIUS/TLS.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/devel.html
>
More information about the Freeradius-Devel
mailing list