EAP-TLS - How to log TLS-Client-Cert-* attributes from expired certificates

[Matthew Newton]

On Fri, 2019-02-15 at 10:02 +0100, Andreas Gryphius wrote:
> In debug mode it says there are TLS attributes created for an
> expired 
> certificate. So there might be hope to save them for later use ...
> Does anyone have an idea how I can make these attributes available
> in 
> linelog?

They're not added to the request list if verification failed, so it's
not currently possible.

https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/main/tls.c#L2569

I'm not sure if there's any reason why they shouldn't be, though. That
line would need changing to

    if (certs && request) {

-- 
Matthew