Confused about ssl caching

Sven Hartge sven at svenhartge.de
Wed Jul 17 15:21:45 CEST 2019


On 17.07.19 15:01, Alan DeKok wrote:
> On Jul 16, 2019, at 1:49 PM, Sven Hartge <sven at svenhartge.de> wrote:

>> But: How? And what?
> 
>   After looking into it, the answer is "badly" :(

So better wait for a later version before trying. I don't want to knock
20,000 users offline in a vain attempt to maybe optimize something which
may not even need optimizing.

>> But what I am missing is a concrete example how a configuration would
>> look, if you excuse my thickness.
> 
>   It's pretty non-intuitive.

At least I wasn't totally blind in my disability to understand where to
even start to use this feature. I've been staring at the configuration,
the documentation (which essentially said the same as the comment in the
configuration) and the code and had no idea when and how to use
"Cached-Session-Policy". Do I set it to the name of the policy used to
add the VLAN attributes? Do I just add the resulting attributes
directly? Is it a string or an array?

>> Also, side note here: the native Debian packages in Debian 9 and 10 have
>> tls-caching disabled at the source level because of CVE-2017-9148. Which
>> means without recompilation you can't use this feature.
> 
>   Debian also ships version of FreeRADIUS which are *years* out of date.  Instead of using a recent release, they patch one from may years ago.

Which is why I roll my own packages with current versions, just using
the Debian packages as a base.

>   Updated documentation and more friendly configuration is available at:
> 
> https://github.com/FreeRADIUS/freeradius-server/commit/a3c46544b38ab46218c385d0ee197538fad5b3da
> 
>   You'll have to use the v3.0.x code from GitHub in order to get simpler TLS session caching.

I see, this makes more sense now.

Grüße,
Sven.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20190717/483c3249/attachment.sig>


More information about the Freeradius-Users mailing list