Cached attributes

[Alan DeKok]

On Feb 25, 2016, at 11:16 AM, Jonathan Gazeley <Jonathan.Gazeley at bristol.ac.uk> wrote:
> This didn't work as it seems the cache_tls module is called in packet 4, i.e. before the server has started to process the inner tunnel (which is where Inner-User-Name is assigned).

  The cache_tls module is there so that it can cache / replay the TLS attributes.  So that you can use the TLS-Cert-* attributes on the resumed session.

  You can add a cache module which is specific to your needs.  Put it into post-auth, so that it caches the Inner-User-Name.

> How can we place the Inner-User-Name into the TLS cache?

  Update the "cache" module configuration to cache Inner-User-Name.  Then, ensure that the cache is updated when the Inner-User-Name is available.

  While there are a lot of moving pieces, a careful approach to system design helps.  If the Inner-User-Name is only available in post-auth... well... put a cache module there to cache it.

> Arran's email [1] suggests that anything you wish to place in the TLS cache must be stored in session-state before the TLS session is frozen. However what seems to be happening is the TLS cache entry is created at the beginning of the TLS session and then not updated.

  That's not how the module && virtual server are supposed to work.  They *were* tested before being put into git, so they should work.

> Please can you shed some light on this behaviour, and whether it is possible to add an attribute to an existing cache entry in the inner post-auth section?

  You can always cache a new attribute.  Just add it to the configuration for the cache module.

  Alan DeKok.