FreeRADIUS EAP-TLS Auth. Issues

Alan DeKok aland at deployingradius.com
Wed Jan 24 14:00:32 UTC 2024 

On Jan 24, 2024, at 8:44 AM, Gerald Vogt <vogt at spamcop.net> wrote:
> Well, you'll probably understand that someone wouldn't want to make some bigger changes to the source, if someone hasn't written code in C for more than 20 years, and considering the way you shoot off replies of people here and on github, I'll surely expect any patch submitted being refused because there's something not the way you want it, not following some way or coding style which is somewhere probably documented in length.

  It's certainly easier to criticize than to contribute.

  One reason FreeRADIUS has become the de-facto RADIUS server world-wide is a consistent approach to documentation and code quality.  There are any number of projects (or companies) which have failed because of the attitude of "just hack it until it works".

  Insisting that code be good quality isn't an attempt to denigrate contributors as you imply.  It's an attempt to ensure good engineering.  You wouldn't live in a house which is slapped together by a people who don't care if the roof falls in, so why ask the same of a software product?

> And adding new parameters and splitting the use of them to their proper causes is definitely not a two-line change.

  No one said it was.  However, it should be reasonably straightforward to describe what *should* be done.  It's possible to open a GitHub issue, and type in text.  Text which can describe at a high level what the configuration should look like, and how the functionality should behave.

  Nothing stops you from doing that, other than an attitude that you deserve to download FreeRADIUS for free, but it's inappropriate for you to be asked to contribute.

  At a high level, OpenSSL *should* do the right thing.  It's given a directory of root CAs and intermediate CAs.  It's given a client certificate signed by those CAs.  Yet it can't figure out that the client certificate is signed by those CAs.

  It's annoying, and we don't have infinite time to figure it out.  The team is busy with large amounts of other work.  The current behavior is OK for most people.  And no one is willing to contribute fixes.

> So please excuse me, if I don't want to spend time on something for which I am pretty sure will be mostly wasted time...

  Yes.  Your work might not succeed, so why even try?

> And looking at
> 
> https://github.com/FreeRADIUS/freeradius-server/blob/57325921a6c6526519d5d6d494627f9d9a3611e3/src/lib/tls/verify.c#L389
> 
> it seems 4.x also uses a set of trusted certs in "chain" for the untrusted parameter of
> 
> int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *trust_store,
>                        X509 *target, STACK_OF(X509) *untrusted);

  Hmm, yes.  You have time and energy to criticize, but none to contribute.  i.e. the issue is attitude, not time.

> I am very sorry,

  Apparently not.

  I will still contribute to FreeRADIUS, even if others don't.

  I'm just disappointed that there is a large group of people who feel that they are entitled to criticize something, but who express horror at being asked to contribute.  If everyone behaved that way, then FreeRADIUS wouldn't exist, and you would be paying $2K a year for a commercial product.

  FreeRADIUS exists despite that attitude, not because of it.

  Alan DeKok.

More information about the Freeradius-Users mailing list