EAP-TLS - How to log TLS-Client-Cert-* attributes from expired certificates
Andreas Gryphius
lists.freeradius.org at ulle.dyndns.org
Fri Feb 15 12:12:27 CET 2019
Thanks Matthew for taking care of my issue!
Am 15.02.19 um 11:16 schrieb Matthew Newton:
> On Fri, 2019-02-15 at 10:02 +0100, Andreas Gryphius wrote:
>> In debug mode it says there are TLS attributes created for an
>> expired
>> certificate. So there might be hope to save them for later use ...
>> Does anyone have an idea how I can make these attributes available
>> in
>> linelog?
>
> They're not added to the request list if verification failed, so it's
> not currently possible.
>
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/main/tls.c#L2569
>
> I'm not sure if there's any reason why they shouldn't be, though. That
> line would need changing to
>
> if (certs && request) {
>
I am not a programmer, but I see a return in that function quite earlier:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/main/tls.c#L2323
if (!my_ok) {
char const *p = X509_verify_cert_error_string(err);
RERROR("SSL says error %d : %s", err, p);
REXDENT();
return my_ok;
}
But that doesn't make a difference as I want to stay with my distro's
package.
Any chance that I can get further with involving some other module (i.e.
cache or cache_eap)?
Thanks, Andreas
More information about the Freeradius-Users
mailing list