EAP-TLS - How to log TLS-Client-Cert-* attributes from expired certificates

Andreas Gryphius lists.freeradius.org at ulle.dyndns.org
Fri Feb 15 12:12:27 CET 2019

Thanks Matthew for taking care of my issue!

Am 15.02.19 um 11:16 schrieb Matthew Newton:
> On Fri, 2019-02-15 at 10:02 +0100, Andreas Gryphius wrote:
>> In debug mode it says there are TLS attributes created for an
>> expired
>> certificate. So there might be hope to save them for later use ...
>> Does anyone have an idea how I can make these attributes available
>> in
>> linelog?
> They're not added to the request list if verification failed, so it's
> not currently possible.
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/src/main/tls.c#L2569
> I'm not sure if there's any reason why they shouldn't be, though. That
> line would need changing to
>      if (certs && request) {

I am not a programmer, but I see a return in that function quite earlier:

	if (!my_ok) {
		char const *p = X509_verify_cert_error_string(err);
		RERROR("SSL says error %d : %s", err, p);
		return my_ok;

But that doesn't make a difference as I want to stay with my distro's 

Any chance that I can get further with involving some other module (i.e. 
cache or cache_eap)?

Thanks, Andreas

More information about the Freeradius-Users mailing list