FreeRADIUS EAP-TLS Auth. Issues

Alan DeKok aland at
Wed Jan 24 17:19:26 UTC 2024

On Jan 24, 2024, at 11:33 AM, Gerald Vogt <vogt at> wrote:
> So I have made suggestions on how to improve this, how to have clear and distinguished configuration parameters for the configuration of the tls server and the tls client verification.

  I'll have to disagree.  You were asked repeatedly in the GitHub issue to explain.  The responses were not actionable.

> I have pointed out how the comments for the configuration parameter are confusing or misleading.

  What is confusing?  What is misleading?  I've asked you for details.  In response, I get long descriptions which aren't actionable.

> If it's so easy and so clear, why don't you write it simply into the documentation? If I point out discrepancies or what's unclear but you shut it down.

  I didn't say it was easy and clear.  I said that you need to describe exactly what's wrong it the existing documentation.  In response, I got nothing actionable.

  In case it wasn't clear, the documentation is as clear as we can make it.  We've put literally decades into understanding every possible situation for FreeRADIUS, including TLS.  Yet despite that, OpenSSL and TLS are still magic.  It's still not clear to us why some things work and some don't.

  But you don't accept that.  You're refusing to do the work to figure it out, while still demanding that we do that work.  And anything you do figure out is secret, and you're not going to share.

  That attitude is highly inappropriate.

> Also, assuming that people know that the option "ca_dir" is used as openssl "CApath", thus requires the hashes, well... "We do not include ... all of OpenSSL documentation". Let the dumb user figure it out themselves. Why should the docs indicate that ca_dir is CApath and requires c_rehash (did FR 2.x mentioned c_rehash?)

  If only there was some kind of github thing where you could explanations to the documentation, and have them included in the server.

> I did a bunch of stuff.
> It works for me. And I think the way I did it I think it only works the way I expect it and that there are not side effects which are allowed.

  So everything you did is secret, and you're not going to document what you did.

  Wonderful.  If you want a reason why you think the documentation is bad, it's because people figure things out, and then refuse to contribute.

> The documentation is unclear. I have to guess what the documentation means. You ask me for documentation updates. How am I supposed to give you a documentation update from some guesses? That documentation won't get any better, it's just another guess.

  Excuses.  You can document a "howto":  This is what I did, and this is what happens, and this is what works.

  All of your blaming me here is just excuses so that you to find reasons to *not* contribute.

> If that's a problem for you or doesn't fit your standards, well, no need to repeat your "patches are welcome"...

  My general response of "patches are welcome" is to people who give vague complaints, and then demand that everyone *else* do work.

  For people who give clear descriptions of problems, I push in fixes.  Documentation updates, code changes, etc.  Anyone who's paid attention to the list will see hundreds of examples of people saying "this isn't clear", followed be me pushing a patch minutes later.

  Hundreds, if not thousands of examples of me working with people to understand their needs, and adding fixes to make FreeRADIUS better, and peoples lives easier.

  Yet some people always find a reason to complain, and reasons why they should never contribute.  And it's never their fault.  Hence my hostility to that entitled and negative attitude.

  Alan DeKok.

More information about the Freeradius-Users mailing list