Add TLS version to logs with linelog in FreeRADIUS 3.2.4

[Alan DeKok]

On Nov 15, 2024, at 9:27 AM, Dominic Stalder <dominic.stalder at bluewin.ch> wrote:
> You do not have to guess / suspect, I am pretty sure it is on our side, but it is hard do find this needle in a haystack in this kind of big setup. Strangely it was only related to this explicit thread "Add TLS version to logs with linelog in FreeRADIUS 3.2.4".

  OK.

> (188) eap_peap: (TLS) PEAP - Connection Established
> (188) eap_peap:   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> (188) eap_peap:   TLS-Session-Version = "TLS 1.2"
> 
> Why the f**k did I miss this in version 3.2.4? Or was it maybe "reintroduced" in 3.2.6 since I upgraded to this version lately; is is this another “SSL thing” patched by Nick?]

  "git annotate" state the TLS-Session-Version code was added in August 2018.

> - More debugging for SSL ciphers. Patch from Nick Porter.
> 
> Nonetheless, I am going to figure out how adjust my linelog module configuration to get it back into the logs, because at the moment I still see NULL (example):

  It's not a matter of "adjusting" things.  It's figuring out where in the call flow the attribute is defined, and then accessing it after that.

> linelog 802.1x_authz_log {

  If you're logging this in the "authorize" phase, then it generally won't work.  The TLS variables are defined after that.

  Instead, log things in the "post-auth" phase.  You're guaranteed that the TLS variables are in the session-state, as everything TLS has finished by then.

  Alan DeKok.