3.2.0: TLS-* attributes for incoming and outgoing RadSec connections
Stefan Winter
stefan.winter at restena.lu
Fri Jun 3 13:32:40 UTC 2022
Hi,
> The implementation looks at where the certificates are in the chain, as supplied by OpenSSL. I guess it passes the certificates in a different order for outgoing connections?
>
> Or maybe if you're not supplying a client cert, the other end server cert shows up at offset 0, which is typically the client cert.
>
> So are you using a client cert for radsec?
Yes.
>> Could these attributes be duplicated for -Server and be populated as such during outbound connections?
> I don't want to change existing behavior, but we can add a configuration flag saying "whoops, use a better order".
Sure, that's fine.
Here is the full debug output, from dynamic discover to final response,
if that's useful; one can see a bit of confusion... the "server"
certificate attribs get populated with a few *issuer* certificate
details; and then the "client" certificate ones get the server cert.
Ready to process requests
Thread 1 waiting to be assigned a request
Threads: total/active/spare threads = 5/0/5
Waking up in 0.3 seconds.
Thread 5 got semaphore
Thread 5 handling request 0, (1 handled so far)
(0) Received Access-Request Id 145 from 127.0.0.1:46707 to
127.0.0.1:11812 length 108
(0) User-Name = "stefan at guest.showcase.surfnet.nl"
(0) User-Password = "test123"
(0) NAS-IP-Address = 158.64.1.52
(0) NAS-Port = 123
(0) Message-Authenticator = 0xfff0d0edbfc17b2c225243ae784db5f0
(0) Framed-Protocol = PPP
(0) # Executing section authorize from file
/opt/freeradius/3.2.0/etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "guest.showcase.surfnet.nl" for User-Name =
"stefan at guest.showcase.surfnet.nl"
(0) suffix: No such realm "guest.showcase.surfnet.nl"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not
setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good"
password is available
(0) [pap] = noop
(0) if (User-Name =~ /@(.*)$/) {
(0) if (User-Name =~ /@(.*)$/) -> TRUE
(0) if (User-Name =~ /@(.*)$/) {
(0) switch %{home_server_dynamic:%{1}} {
(0) EXPAND %{home_server_dynamic:%{1}}
(0) -->
(0) case {
(0) if (!control:Proxy-To-Realm) {
(0) if (!control:Proxy-To-Realm) -> TRUE
(0) if (!control:Proxy-To-Realm) {
(0) update control {
(0) Executing:
%{config:prefix}/bin/naptr-eduroam-freeradius.sh %{1} %{config:prefix}:
(0) EXPAND prefix
(0) --> prefix
(0) EXPAND %{config:prefix}/bin/naptr-eduroam-freeradius.sh
(0) -->
/opt/freeradius/3.2.0/bin/naptr-eduroam-freeradius.sh
(0) EXPAND %{1}
(0) --> guest.showcase.surfnet.nl
(0) EXPAND prefix
(0) --> prefix
(0) EXPAND %{config:prefix}
(0) --> /opt/freeradius/3.2.0
... new connection request on command socket
Listening on command file
/opt/freeradius/3.2.0/var/run/radiusd/radiusd.sock
Waking up in 0.1 seconds.
radmin> add home_server file
/opt/freeradius/3.2.0/etc/raddb/home_servers/guest.showcase.surfnet.nl
including configuration file
/opt/freeradius/3.2.0/etc/raddb/home_servers/guest.showcase.surfnet.nl
home_server guest.showcase.surfnet.nl {
ipaddr = roomkaas.eduroam.nl IPv4 address [145.100.189.5]
port = 2083
type = "auth"
proto = "tcp"
secret = <<< secret >>>
response_window = 30.000000
response_timeouts = 1
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_timeout = 4
num_answers_to_alive = 3
revive_interval = 300
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
recv_coa {
}
}
tls {
verify_depth = 0
ca_path = "/usr/local/radsecproxy/config/certs/ca/"
pem_file_type = yes
private_key_file =
"/usr/local/radsecproxy/config/certs/tld1.eduroam.lu.key"
certificate_file =
"/usr/local/radsecproxy/config/certs/tld1.eduroam.lu.pem"
fragment_size = 1024
include_length = yes
check_crl = no
ca_path_reload_interval = 0
ecdh_curve = "prime256v1"
tls_min_version = "1.2"
}
tls: Cannot set DH parameters. DH cipher suites may not work.
Waking up in 0.1 seconds.
... shutting down socket command file
/opt/freeradius/3.2.0/var/run/radiusd/radiusd.sock
Waking up in 0.1 seconds.
(0) Program returned code (0) and output 'home_server
guest.showcase.surfnet.nl { ipaddr = roomkaas.eduroam
.nl port = 2083 proto = tcp type = auth secret = radsec
tls { certificate_file = /usr/local/rads
ecproxy/config/certs/tld1.eduroam.lu.pem private_key_file
= /usr/local/radsecproxy/config/certs/tld1.eduroam.lu.key
ca_path = /usr/local/radsecproxy/config/certs/ca/
} }'
(0) &Tmp-String-1 := home_server guest.showcase.surfnet.nl
{ ipaddr = roomkaas.eduroam.nl port = 2083 pr
oto = tcp type = auth secret = radsec tls {
certificate_file = /usr/local/radsecproxy/config/certs/tld
1.eduroam.lu.pem private_key_file =
/usr/local/radsecproxy/config/certs/tld1.eduroam.lu.key
ca_path =
/usr/local/radsecproxy/config/certs/ca/ } }
(0) } # update control = noop
(0) if ("%{control:Tmp-String-1}" == "" ) {
(0) if ("%{control:Tmp-String-1}" == "" ) -> FALSE
(0) else {
(0) update control {
(0) EXPAND %{1}
(0) --> guest.showcase.surfnet.nl
(0) &Home-Server-Name := guest.showcase.surfnet.nl
(0) } # update control = noop
(0) } # else = noop
(0) } # if (!control:Proxy-To-Realm) = noop
(0) } # case = noop
(0) } # switch %{home_server_dynamic:%{1}} = noop
(0) } # if (User-Name =~ /@(.*)$/) = noop
(0) } # authorize = ok
(0) Proxying due to Home-Server-Name
(0) Starting proxy to home server 145.100.189.5 port 2083
(0) server default {
(0) }
(TLS) Trying new outgoing proxy connection to proxy (0.0.0.0, 0) ->
home_server (145.100.189.5, 2083)
Requiring Server certificate
(0) (TLS) Handshake state - before/connect initialization
(0) (TLS) Handshake state - Client before/connect initialization
(0) (TLS) send TLS 1.2 Handshake, ClientHello
(0) (TLS) Handshake state - Client SSLv2/v3 write client hello A
(0) (TLS) recv TLS 1.2 Handshake, ServerHello
(0) (TLS) Handshake state - Client SSLv3 read server hello A
(0) (TLS) recv TLS 1.2 Handshake, Certificate
(0) (TLS) Creating attributes from server certificate
(0) TLS-Cert-Serial := "01"
(0) TLS-Cert-Expiration := "301103101536Z"
(0) TLS-Cert-Valid-Since := "101108101536Z"
(0) TLS-Cert-Subject := "/DC=org/DC=edupki/CN=eduPKI CA G 01"
(0) TLS-Cert-Issuer := "/DC=org/DC=edupki/CN=eduPKI CA G 01"
(0) TLS-Cert-Common-Name := "eduPKI CA G 01"
(0) (TLS) Creating attributes from client certificate
(0) TLS-Client-Cert-Serial := "24277d01429f0b25f81d4b36"
(0) TLS-Client-Cert-Expiration := "260119100121Z"
(0) TLS-Client-Cert-Valid-Since := "210120100121Z"
(0) TLS-Client-Cert-Subject :=
"/DC=net/DC=geant/DC=eduroam/C=NL/O=SURF/CN=slagroom.eduroam.nl"
(0) TLS-Client-Cert-Issuer := "/DC=org/DC=edupki/CN=eduPKI CA G 01"
(0) TLS-Client-Cert-Common-Name := "slagroom.eduroam.nl"
(0) TLS-Client-Cert-Subject-Alt-Name-Dns := "kookroom.eduroam.nl"
(0) TLS-Client-Cert-Subject-Alt-Name-Dns := "roomkaas.eduroam.nl"
(0) TLS-Client-Cert-Subject-Alt-Name-Dns := "slagroom.eduroam.nl"
(0) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(0) TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client
Authentication, TLS Web Server Authentication"
(0) TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
"47:99:74:7C:72:47:14:93:12:67:78:B4:D5:FE:79:F5:DD:7A:5C:58"
(0) TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"keyid:D2:F2:23:BD:4A:A1:7F:CF:A0:58:84:EB:FC:E6:5B:08:B3:CD:B4:E4\n"
(0) TLS-Client-Cert-X509v3-Certificate-Policies += "Policy:
1.3.6.1.4.1.27262.1.13.1.1\nPolicy: 1.3.6.1.4.1.27262.1.13.1.1.1.4\n
Policy: 1.3.6.1.4.1.25178.3.1.1\nPolicy:
1.3.6.1.4.1.25178.3.1.2\nPolicy: 1.3.6.1.4.1.27262.1.13.2.1.1.8\n"
(0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
(0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.1"
(0) (TLS) Handshake state - Client SSLv3 read server certificate A
(0) (TLS) recv TLS 1.2 Handshake, CertificateRequest
(0) (TLS) Handshake state - Client SSLv3 read server certificate request A
(0) (TLS) recv TLS 1.2 Handshake, ServerHelloDone
(0) (TLS) Handshake state - Client SSLv3 read server done A
(0) (TLS) send TLS 1.2 Handshake, Certificate
(0) (TLS) Handshake state - Client SSLv3 write client certificate A
(0) (TLS) send TLS 1.2 Handshake, ClientKeyExchange
(0) (TLS) Handshake state - Client SSLv3 write client key exchange A
(0) (TLS) send TLS 1.2 Handshake, CertificateVerify
(0) (TLS) Handshake state - Client SSLv3 write certificate verify A
(0) (TLS) send TLS 1.2 ChangeCipherSpec
(0) (TLS) Handshake state - Client SSLv3 write change cipher spec A
(0) (TLS) send TLS 1.2 Handshake, Finished
(0) (TLS) Handshake state - Client SSLv3 write finished A
(0) (TLS) Handshake state - Client SSLv3 flush data
(0) (TLS) recv TLS 1.2 ChangeCipherSpec
(0) (TLS) recv TLS 1.2 Handshake, Finished
(0) (TLS) Handshake state - Client SSLv3 read finished A
(0) (TLS) Handshake state - SSL negotiation finished successfully
Listening on proxy (158.64.1.52, 52959) -> home_server (145.100.189.5,
2083)
Waking up in 0.1 seconds.
(0) Proxying request to home server 145.100.189.5 port 2083 (TLS)
timeout 30.000000
(0) Sent Access-Request Id 187 from 158.64.1.52:52959 to
145.100.189.5:2083 length 125
(0) User-Name = "stefan at guest.showcase.surfnet.nl"
(0) User-Password = "test123"
(0) NAS-IP-Address = 158.64.1.52
(0) NAS-Port = 123
(0) Message-Authenticator = 0xfff0d0edbfc17b2c225243ae784db5f0
(0) Framed-Protocol = PPP
(0) Service-Type = Framed-User
(0) Event-Timestamp = "Jun 3 2022 15:24:51 CEST"
(0) Proxy-State = 0x313435
Thread 5 waiting to be assigned a request
(0) Marking home server 145.100.189.5 port 2083 alive
Waking up in 0.3 seconds.
Thread 4 got semaphore
Thread 4 handling request 0, (1 handled so far)
(0) Clearing existing &reply: attributes
(0) Received Access-Reject Id 187 from 145.100.189.5:2083 to
158.64.1.52:52959 length 59
(0) Reply-Message = "Request Denied"
(0) Message-Authenticator = 0xe95018c5f256990b9ba4fd5b3b5eafde
(0) Proxy-State = 0x313435
(0) server default {
(0) # Executing section post-proxy from file
/opt/freeradius/3.2.0/etc/raddb/sites-enabled/default
(0) post-proxy {
(0) eap: No pre-existing handler found
(0) [eap] = noop
(0) } # post-proxy = noop
(0) }
(0) Using Post-Auth-Type Reject
(0) # Executing group from file
/opt/freeradius/3.2.0/etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject: --> stefan at guest.showcase.surfnet.nl
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) [eap] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Thread 4 waiting to be assigned a request
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 145 from 127.0.0.1:11812 to 127.0.0.1:46707
length 54
(0) Reply-Message = "Request Denied"
(0) Message-Authenticator = 0xe95018c5f256990b9ba4fd5b3b5eafde
Waking up in 1.9 seconds.
... cleaning up socket command file
/opt/freeradius/3.2.0/var/run/radiusd/radiusd.sock
Waking up in 2.0 seconds.
(0) Cleaning up request packet ID 145 with timestamp +2 due to
cleanup_delay was reached
Ready to process requests
>
> I'll take a look.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html
>
--
This email may contain information for limited distribution only, please treat accordingly.
Fondation Restena, Stefan WINTER
Chief Technology Officer
2, avenue de l'Université
L-4365 Esch-sur-Alzette
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20220603/4a13aace/attachment.sig>
More information about the Freeradius-Users
mailing list