Version 2.1.11 has been released
John Dennis
jdennis at redhat.com
Wed Jun 22 01:09:00 CEST 2011
The bootstrap logic has been changed, the comment in eap.conf says:
# This command creates the initial "snake oil"
# certificates when the server is run as root,
# and via "radiusd -X".
#
# As of 2.1.11, it *also* checks the server
# certificate for validity, including expiration.
# This means that radiusd will refuse to start
# when the certificate has expired. The alternative
# is to have the 802.1X clients refuse to connect
# when they discover the certificate has expired.
#
# Debugging client issues is hard, so it's better
# for the server to print out an error message,
# and refuse to start.
But rlm_eap_tls.c has this:
/*
* This magic makes the administrators life HUGELY easier
* on initial deployments.
*
* If the server starts up in debugging mode, AND the
* bootstrap command is configured, AND it exists, AND
* there is no server certificate
*/
if (conf->make_cert_command && (debug_flag >= 2)) {
struct stat buf;
if ((stat(conf->make_cert_command, &buf) == 0) &&
(stat(conf->certificate_file, &buf) < 0) &&
(errno == ENOENT) &&
(radius_exec_program(conf->make_cert_command, NULL, 1,
NULL, 0, NULL, NULL, 0) != 0)) {
eaptls_detach(inst);
return -1;
}
}
Maybe I'm missing something but it seems pointless to have certificate
validation logic in the bootstrap command if it's only run in debug and
and only if the cert doesn't exist. It also seems to directly contradict
the comments in eap.conf. What am I missing?
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list