Way to configure logging to emit SSL Certificate info with a failure message?

Alan DeKok aland at deployingradius.com
Thu Mar 9 15:59:46 UTC 2023

On Mar 9, 2023, at 10:47 AM, Andy Arp <bubbaandy89 at gmail.com> wrote:
> Looking for ways to configure version 3.0.x to emit additional log data
> when an SSL error occurs.  Specifically looking for ways to emit the SAN or
> even the ID of the certificate being presented to make it easier to track
> down badly configured clients without having to turn on debug mode.
> Example of log message we're seeing as too generic currently:
> Mon Mar  6 10:32:59 2023 : ERROR: (0)   ERROR: SSL says error 23 :
> certificate revoked

  See the debug output.  The certificate fields are placed into attributes, and those attributes can be logged.

  Those error messages should also be placed into the TLS-Session-Information attribute, and placed into the session-state list.

  Alan DeKok.

More information about the Freeradius-Users mailing list