FreeRADIUS EAP-TLS Auth. Issues

Gerald Vogt vogt at spamcop.net
Wed Jan 24 14:44:58 UTC 2024 

On 24.01.24 15:00, Alan DeKok wrote:
> On Jan 24, 2024, at 8:44 AM, Gerald Vogt <vogt at spamcop.net> wrote:
>> Well, you'll probably understand that someone wouldn't want to make some bigger changes to the source, if someone hasn't written code in C for more than 20 years, and considering the way you shoot off replies of people here and on github, I'll surely expect any patch submitted being refused because there's something not the way you want it, not following some way or coding style which is somewhere probably documented in length.
> 
>    It's certainly easier to criticize than to contribute.
> 
>    One reason FreeRADIUS has become the de-facto RADIUS server world-wide is a consistent approach to documentation and code quality.  There are any number of projects (or companies) which have failed because of the attitude of "just hack it until it works".
> 
>    Insisting that code be good quality isn't an attempt to denigrate contributors as you imply.  It's an attempt to ensure good engineering.  You wouldn't live in a house which is slapped together by a people who don't care if the roof falls in, so why ask the same of a software product?
> 
>> And adding new parameters and splitting the use of them to their proper causes is definitely not a two-line change.
> 
>    No one said it was.  However, it should be reasonably straightforward to describe what *should* be done.  It's possible to open a GitHub issue, and type in text.  Text which can describe at a high level what the configuration should look like, and how the functionality should behave.

I tried. You have closed the issue. You see my point? You consider 
opening an issue just as critique and refuse from the very beginning.

>    Nothing stops you from doing that, other than an attitude that you deserve to download FreeRADIUS for free, but it's inappropriate for you to be asked to contribute.

You can ask people to contribute, but you have to understand that there 
are only a few people who are really able to contribute patches. I 
cannot contribute. I don't have the technical knowledge to contribute.

And you don't like the high level contributions, either, just as your 
reply to my extended explanation of the issue shows. I don't know how 
the full and complete and correct solution should look like. That would 
be something for discussion. But any solution to any problem starts IMHO 
with describing what the current problem is.

But all you write in response is "supply patches", "source code is 
available". What you expect?

Even suggesting "correct documentation errors" isn't that simple, 
because I mostly make assumptions about how a parameter is actually used 
from why I see in the debug logs. I try to follow the source code to 
some extend but it's not easy to do and I, too, have limited time at 
hands trying to figure something out which probably a developer already 
knows. So I cannot really correct documentation errors of parameters if 
I don't really know where that parameter is used. And thus, assuming the 
original text there was based on how it was or maybe even is used in 
parts, I cannot really give a better text because I would have to know 
the code much better.

Thus, all I can do then is to give some hints on how to use the current 
parameters to get it properly working and give some explanations on why 
it may be that way.

>    At a high level, OpenSSL *should* do the right thing.  It's given a directory of root CAs and intermediate CAs.  It's given a client certificate signed by those CAs.  Yet it can't figure out that the client certificate is signed by those CAs.
> 
>    It's annoying, and we don't have infinite time to figure it out.  The team is busy with large amounts of other work.  The current behavior is OK for most people.  And no one is willing to contribute fixes.

That is not true. I am willing to contribute fixes, however, I am not 
able to contribute fixes.

>> So please excuse me, if I don't want to spend time on something for which I am pretty sure will be mostly wasted time...
> 
>    Yes.  Your work might not succeed, so why even try?

Yes. If the person who evaluates your attempt, has a certain attitude to 
shoot everything down, you'll obviously ask yourself why should you even 
try.

I am more than willing to help as I do in a lot of other projects, but I 
can always only contribute to the extent of my abilities (and the time I 
have).

>> And looking at
>>
>> https://github.com/FreeRADIUS/freeradius-server/blob/57325921a6c6526519d5d6d494627f9d9a3611e3/src/lib/tls/verify.c#L389
>>
>> it seems 4.x also uses a set of trusted certs in "chain" for the untrusted parameter of
>>
>> int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *trust_store,
>>                         X509 *target, STACK_OF(X509) *untrusted);
> 
>    Hmm, yes.  You have time and energy to criticize, but none to contribute.  i.e. the issue is attitude, not time.

Again: you just shoot down an possible issue I have noticed as critique. 
It's just pointless to discuss anything with you because your standard 
answer to most remarks are like that...

So as you correctly state "the issue is attitude, not time". You just 
have the problem of acknowledging how your attitude is the issue to 
start with.

>> I am very sorry,
> 
>    Apparently not.
> 
>    I will still contribute to FreeRADIUS, even if others don't.
> 
>    I'm just disappointed that there is a large group of people who feel that they are entitled to criticize something, but who express horror at being asked to contribute.  If everyone behaved that way, then FreeRADIUS wouldn't exist, and you would be paying $2K a year for a commercial product.

You are disappointed that there is a large group of people who have 
suggestions how to improve something or who find issues in how things 
are, but who are not able to contribute significantly...

And the attitude in your responses really kills off the last bit of 
willingness to help to the extent possible.

>    FreeRADIUS exists despite that attitude, not because of it.

As it does despite your attitude, but mostly, I guess, because there are 
not many alternatives.

But I don't expect you to understand that your attitude towards others 
has a direct effect on how people are willing to participate or the lack 
of in that matter.

We all have very limited time. I use freeradius and all that matters to 
me in that respect is that I get it to work the way I want it to. If I 
notice issues along that line I can point them out (that's not critique 
even if it feels like to you) and make some suggestions on how to 
improve that (which still isn't critique), mostly very high level at 
first because I don't work on my radius servers all the time.

You can either pick that up, show some interest and start a discussion 
which could well go deeper, or you can simply be disappointed and tell 
people that they "have time and energy to criticize, but none to 
contribute", expecting them (between the lines) to provides fully 
finished code patches which you can review.

Well. Again I am very sorry for wasting so much of your time (and mine 
in this mail) with "useless" discussions for which you most likely don't 
see how much you contribute to the problem you complain about.

I would love to participate and contribute if it was welcomed and not 
just shot off...

Sorry,

Gerald

More information about the Freeradius-Users mailing list