EAP-TLS - How to log TLS-Client-Cert-* attributes from expired certificates
Andreas Gryphius
lists.freeradius.org at ulle.dyndns.org
Fri Feb 15 18:04:19 CET 2019
Hi Alan,
Am 15.02.19 um 14:35 schrieb Alan DeKok:
> On Feb 15, 2019, at 6:12 AM, Andreas Gryphius <lists.freeradius.org at ulle.dyndns.org> wrote:
>> I am not a programmer, but I see a return in that function quite earlier:
>> ...
>> But that doesn't make a difference as I want to stay with my distro's package.
>
> I don't know why.
>
> Later versions of the server have bugs fixed, minor new features, and better debugging. In many, many cases people ask "why doesn't this work?" and the answer is "you're running something that's 5 years old: upgrade".
>
> And all too often, the answer is "no".
>
> Well...
I did not want to complain. If the issue was severe enough for me, I
would go the way with compiling by myself.
>
>> Any chance that I can get further with involving some other module (i.e. cache or cache_eap)?
>
> Nope.
>
> When it rejects the expired cert, it deletes all of the certificate attributes that it created. Changing that involves source code changes.
>
Okay. At least I know now that there is no work around. So thank you for
pointing that out. If needed, I can catch the certificate data while in
debug mode.
And as Matthew already pointed to the right file in source code, anyone
coming here (by search engines) can build his own fix.
By the way, it looks like my issue would still be the same with
freeradius current state in github:
https://github.com/FreeRADIUS/freeradius-server/blob/master/src/lib/tls/validate.c#L198
Same return command like in 3.0.x-code for certificate errors.
Unfortunately without adding the certificate attributes into a list
(request) before ...
Andreas
More information about the Freeradius-Users
mailing list