Autz-Type New-TLS-Connection only available when using TLS 1.3

nabble at felix.world nabble at felix.world
Thu Feb 15 15:33:38 UTC 2024


Hi, 


As i was not able to find the following in the documentation I assume that it’s a bug but may I have overlooked something. 


In order to make some additional checks for a RadSec connection, I enabled “check_client_connections” in the listen part and added
		Autz-Type New-TLS-Connection {
			auth_log
		}

in the authorize section in the server block. 

And I can see that the Autz-Type gets complied on server start. But the section will only get called if TLS 1.3 was used. For TLS 1.2 it just doesn’t see or call it. 


Connection with TLS 1.3
```
Listening on auth+acct from client (172.18.0.3, 52448) -> (*, 2083, virtual-server=BoilerPlate-radsec)
Waking up in 0.9 seconds.
(0) (TLS) Initiating new session
(0) (TLS) Setting verify mode to require certificate from client
(0) (TLS) Handshake state - before SSL initialization
(0) (TLS) Handshake state - Server before SSL initialization
(0) (TLS) Handshake state - Server before SSL initialization
(0) (TLS) recv TLS 1.3 Handshake, ClientHello
(0) (TLS) Handshake state - Server SSLv3/TLS read client hello
(0) (TLS) send TLS 1.3 Handshake, ServerHello
(0) (TLS) Handshake state - Server SSLv3/TLS write server hello
(0) (TLS) send TLS 1.3 ChangeCipherSpec
(0) (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
(0) (TLS) Handshake state - Server TLSv1.3 early data
(0) (TLS) Server : Need to read more data: TLSv1.3 early data
(0) (TLS) In Handshake Phase
Waking up in 0.9 seconds.
(0) (TLS) Handshake state - Server TLSv1.3 early data
(0) (TLS) recv TLS 1.3 Handshake, ClientHello
(0) (TLS) Handshake state - Server SSLv3/TLS read client hello
(0) (TLS) send TLS 1.3 Handshake, ServerHello
(0) (TLS) Handshake state - Server SSLv3/TLS write server hello
(0) (TLS) send TLS 1.3 Handshake, EncryptedExtensions
(0) (TLS) Handshake state - Server TLSv1.3 write encrypted extensions
(0) (TLS) send TLS 1.3 Handshake, CertificateRequest
(0) (TLS) Handshake state - Server SSLv3/TLS write certificate request
(0) (TLS) send TLS 1.3 Handshake, Certificate
(0) (TLS) Handshake state - Server SSLv3/TLS write certificate
(0) (TLS) send TLS 1.3 Handshake, CertificateVerify
(0) (TLS) Handshake state - Server TLSv1.3 write server certificate verify
(0) (TLS) send TLS 1.3 Handshake, Finished
(0) (TLS) Handshake state - Server SSLv3/TLS write finished
(0) (TLS) Handshake state - Server TLSv1.3 early data
(0) (TLS) Server : Need to read more data: TLSv1.3 early data
(0) (TLS) In Handshake Phase
Waking up in 0.9 seconds.
(0) (TLS) Handshake state - Server TLSv1.3 early data
(0) (TLS) recv TLS 1.3 Handshake, Certificate
(0) (TLS) Creating attributes from client certificate
(0)   TLS-Client-Cert-Serial := "2aef75f0ea7f49c68b28781d7a6a2ff9"
(0)   TLS-Client-Cert-Expiration := "340208105559Z"
(0)   TLS-Client-Cert-Valid-Since := "240208104559Z"
(0)   TLS-Client-Cert-Subject := "/CN=BoilerPlate"
(0)   TLS-Client-Cert-Issuer := "/CN=BoilerPlate"
(0)   TLS-Client-Cert-Common-Name := "BoilerPlate"
(0)   TLS-Client-Cert-Subject-Alt-Name-Dns := "radius.BoilerPlate.net"
(0)   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(0)   TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:73:D2:45:9F:1A:5B:BB:04:31:0D:2B:52:A8:66:F9:72:EB:12:D1:54\n"
(0)   TLS-Client-Cert-X509v3-Subject-Key-Identifier += "73:D2:45:9F:1A:5B:BB:04:31:0D:2B:52:A8:66:F9:72:EB:12:D1:54"
Certificate chain - 0 cert(s) untrusted
(TLS) untrusted certificate with depth [0] subject name /CN=BoilerPlate
(0) (TLS) Handshake state - Server SSLv3/TLS read client certificate
(0) (TLS) recv TLS 1.3 Handshake, CertificateVerify
(0) (TLS) Handshake state - Server SSLv3/TLS read certificate verify
(0) (TLS) recv TLS 1.3 Handshake, Finished
(0) (TLS) Handshake state - Server SSLv3/TLS read finished
(0) (TLS) Handshake state - SSL negotiation finished successfully
(0) (TLS) Connection Established
(0)   TLS-Session-Cipher-Suite = "TLS_AES_256_GCM_SHA384"
(0)   TLS-Session-Version = "TLS 1.3"
(0) (TLS) Application data.
Threads: total/active/spare threads = 3/0/3
Waking up in 0.3 seconds.
Thread 3 got semaphore
Thread 3 handling request 0, (1 handled so far)
(0) (TLS) Checking connection to see if it is authorized.
(0) # Executing group from file /usr/local/etc/raddb/sites-available/radsec-serv
(0)   Autz-Type New-TLS-Connection {
(0) auth_log: EXPAND /var/log/radius/radius-detail.log
(0) auth_log:    --> /var/log/radius/radius-detail.log
(0) auth_log: /var/log/radius/radius-detail.log expands to /var/log/radius/radius-detail.log
(0) auth_log: EXPAND Datetime = %T
(0) auth_log:    --> Datetime = 2024-02-15-15.27.49.096326
(0)     [auth_log] = ok
(0)   } # Autz-Type New-TLS-Connection = ok
(0) (TLS) Connection is authorized
(0) Sent Access-Accept Id 4294967295 from 0.0.0.0:2083 to 172.18.0.3:52448 length 0
(0) Finished request
Thread 3 waiting to be assigned a request
Waking up in 0.5 seconds.
```

Connection with TLS 1.2

```
Listening on auth+acct from client (172.18.0.3, 37500) -> (*, 2083, virtual-server=BoilerPlate-radsec)
Waking up in 0.5 seconds.
(0) (TLS) Initiating new session
(0) (TLS) Setting verify mode to require certificate from client
(0) (TLS) Handshake state - before SSL initialization
(0) (TLS) Handshake state - Server before SSL initialization
(0) (TLS) Handshake state - Server before SSL initialization
(0) (TLS) recv TLS 1.3 Handshake, ClientHello
(0) (TLS) Handshake state - Server SSLv3/TLS read client hello
(0) (TLS) send TLS 1.2 Handshake, ServerHello
(0) (TLS) Handshake state - Server SSLv3/TLS write server hello
(0) (TLS) send TLS 1.2 Handshake, Certificate
(0) (TLS) Handshake state - Server SSLv3/TLS write certificate
(0) (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(0) (TLS) Handshake state - Server SSLv3/TLS write key exchange
(0) (TLS) send TLS 1.2 Handshake, CertificateRequest
(0) (TLS) Handshake state - Server SSLv3/TLS write certificate request
(0) (TLS) send TLS 1.2 Handshake, ServerHelloDone
(0) (TLS) Handshake state - Server SSLv3/TLS write server done
(0) (TLS) Server : Need to read more data: SSLv3/TLS write server done
(0) (TLS) In Handshake Phase
Waking up in 0.5 seconds.
(0) (TLS) Handshake state - Server SSLv3/TLS write server done
(0) (TLS) recv TLS 1.2 Handshake, Certificate
(0) (TLS) Creating attributes from client certificate
(0)   TLS-Client-Cert-Serial := "2aef75f0ea7f49c68b28781d7a6a2ff9"
(0)   TLS-Client-Cert-Expiration := "340208105559Z"
(0)   TLS-Client-Cert-Valid-Since := "240208104559Z"
(0)   TLS-Client-Cert-Subject := "/CN=BoilerPlate"
(0)   TLS-Client-Cert-Issuer := "/CN=BoilerPlate"
(0)   TLS-Client-Cert-Common-Name := "BoilerPlate"
(0)   TLS-Client-Cert-Subject-Alt-Name-Dns := "radius.BoilerPlate.net"
(0)   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(0)   TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:73:D2:45:9F:1A:5B:BB:04:31:0D:2B:52:A8:66:F9:72:EB:12:D1:54\n"
(0)   TLS-Client-Cert-X509v3-Subject-Key-Identifier += "73:D2:45:9F:1A:5B:BB:04:31:0D:2B:52:A8:66:F9:72:EB:12:D1:54"
Certificate chain - 0 cert(s) untrusted
(TLS) untrusted certificate with depth [0] subject name /CN=BoilerPlate
(0) (TLS) Handshake state - Server SSLv3/TLS read client certificate
(0) (TLS) recv TLS 1.2 Handshake, ClientKeyExchange
(0) (TLS) Handshake state - Server SSLv3/TLS read client key exchange
(0) (TLS) recv TLS 1.2 Handshake, CertificateVerify
(0) (TLS) Handshake state - Server SSLv3/TLS read certificate verify
(0) (TLS) Handshake state - Server SSLv3/TLS read change cipher spec
(0) (TLS) recv TLS 1.2 Handshake, Finished
(0) (TLS) Handshake state - Server SSLv3/TLS read finished
(0) (TLS) send TLS 1.2 ChangeCipherSpec
(0) (TLS) Handshake state - Server SSLv3/TLS write change cipher spec
(0) (TLS) send TLS 1.2 Handshake, Finished
(0) (TLS) Handshake state - Server SSLv3/TLS write finished
(0) (TLS) Handshake state - SSL negotiation finished successfully
(0) (TLS) Connection Established
(0)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(0)   TLS-Session-Version = "TLS 1.2"
Waking up in 0.5 seconds.
```


Is that on purpose and not documented or have i overlooked something?
It’s the same behaviour with the source of 3.2.x and the default configuration. 


BR, 
Lineconnect



More information about the Freeradius-Users mailing list