3.2.0: TLS-* attributes for incoming and outgoing RadSec connections

Stefan Winter stefan.winter at restena.lu
Fri Jun 3 08:48:15 UTC 2022


while playing with RadSec inbound and outbound I noticed that for both 
directions, the cert properties of the other end are stored in a series 
of TLS-Client-Cert-* attributes.

But when initiating an outbound connection, these attributes store the 
properties of the *server* we are contacting, while the name suggests 
something about client (which would be our own cert, which is useless).


(TLS) Trying new outgoing proxy connection to proxy (, 0) -> 
home_server (, 2083)
Requiring Server certificate


(0)  TLS-Client-Cert-Common-Name := "slagroom.eduroam.nl"

That should really be TLS-Server-Cert-Common-Name (same goes for all 
other properties of course).

In the other direction, i.e. when serving an incoming client connection, 
the use of the -Client- attributes is of course semantically correct.

Could these attributes be duplicated for -Server and be populated as 
such during outbound connections?


Stefan Winter

This email may contain information for limited distribution only, please treat accordingly.

Fondation Restena, Stefan WINTER
Chief Technology Officer
2, avenue de l'Université
L-4365 Esch-sur-Alzette

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220603/0ba06cae/attachment.sig>

More information about the Freeradius-Users mailing list