Post-Autz New-TLS-Connection
Alan DeKok
aland at deployingradius.com
Mon Apr 29 15:30:41 UTC 2024
On Apr 29, 2024, at 11:21 AM, nabble at felix.world wrote:
> Would that be a low hanging fruit on your side?
I'm a little swamped right now, but we'll see if I can find someone to look at it.
> The RadSec interfaces from network controllers is not always self-explaining nor the documentation is up-to-date and it would be great to see which certificate the client has used when errors like ‘unknown ca’ or ‘certificate expired’ are raised and creating a debug instance and put the server in debug mode could be avoided.
Yes.
> I know that you’re happy to accept patches and I will also start to poke around when the time allows.
The code in src/main/cb.c and src/main/tls.c shows it calling the ERROR() or RERROR() function for certificates which fail validation. So those errors should be logged to radiusd.log.
That being said, if OpenSSL just rejects the certificate before the FreeRADIUS code is called, we might not be able to do much of anything.
Run the server in debug mode to see what it does for failed certs, and then see what debug messages it produces. Then, look for those messages in the code to see what it's doing. There might be room for small easy tweaks.
Alan DeKok.
More information about the Freeradius-Users
mailing list