reauth-problem with WPA2-tls

Alan DeKok aland at deployingradius.com
Mon Jun 7 23:03:40 CEST 2010


Andreas Hartmann wrote:
> Problem is fixed! Your missing a ssl-option when setting up SSL. Since
> SSL version 0.9.8j, openssl supports stateless session resumption. This
> means, no session_id is created in the server, if both, client and
> server, support it.
> 
> I'm using on both sides openssl 0.9.8k, the server generates no
> session-key (which you need for saving resume-data).
> 
> See: http://www.mail-archive.com/openssl-users@openssl.org/msg56976.html.

  All I can say is that is one of the *worst* poorly documented changes
in behavior I have ever seen.  They could have made the default to be no
change in behavior, but no...

> Setting
> 
> ctx_options |= SSL_OP_NO_TICKET ;
> 
> in rlm_eap_tls.c

  I've added the fix, thanks.

> is needed, to get a working sessionhandling in freeradius with openssl >
> 0.9.8i.
> 
> It was good to have a lot of comments in the code and to have a lot of
> debug messages. So I could follow what's going on in detail.

  That's good to hear.

  Alan DeKok.



More information about the Freeradius-Users mailing list