FreeRADIUS Creates New .vps and .asn1 Files for Cached TLS Sessions Instead of Reusing Them

Luca Borruto luca.borruto at agicap.com
Thu Sep 12 14:20:21 UTC 2024 

Hey ! I am currently using FreeRADIUS with EAP-TLS for client
authentication, and I have configured a TLS session cache directory at
`/var/log/freeradius/tlscache/`. However, every time a client reconnects,
FreeRADIUS creates new `.vps` and `.asn1` files for each session, even
though the session details remain the same.

**Expected Behavior**:
FreeRADIUS should reuse the cached session when a client reconnects instead
of creating new cache files.

**Actual Behavior**:
A new pair of `.vps` and `.asn1` files is created for every connection,
leading to unnecessary cache file creation and a potential performance hit.

**Logs Showing the Issue**:
When a client reconnects, FreeRADIUS logs indicate that it doesn’t find the
cached session, even though it previously created one:

For the second connection attempt:
```
(8) eap_tls: Peer requested cached session:
604b28a21b0839df85aac31a93fc59ae1efa3f58781088cb0df999c05fa9d01b
(8) eap_tls: WARNING: (TLS) TLS - No persisted session file
/var/log/freeradius/tlscache/604b28a21b0839df85aac31a93fc59ae1efa3f58781088cb0df999c05fa9d01b.asn1:
No such file or directory
(8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client
hello
```

Then it recreates the session file:
```
(8) eap_tls: Serialising session
1dc61483794f1ea87b11939de76614a292e31d04f0fe045ce1ba9369158ff549, and
storing in cache
(8) eap_tls: WARNING: (TLS) TLS - Wrote session
1dc61483794f1ea87b11939de76614a292e31d04f0fe045ce1ba9369158ff549 to
/var/log/freeradius/tlscache/1dc61483794f1ea87b11939de76614a292e31d04f0fe045ce1ba9369158ff549.asn1
(1641 bytes)
```

**Sample Cached Session Files**:
Here are two examples of the `.vps` files generated for the same client:

First `.vps` file:
```
# SSL cached session
e6c48d5b37efbac1c4c1ec7604cb29a0030f0c6e22c304567c885f61147ea693
        EAP-Type = TLS,
        TLS-Cert-Serial := "6b92ee8fe3454c9b47b46b05a3e74566",
        ...
```

Second `.vps` file (after reconnection):
```
# SSL cached session
e1103d784da8d948197c0346232a22e98863d5d366a75b95f15529622b34f95c
        EAP-Type = TLS,
        TLS-Cert-Serial := "6b92ee8fe3454c9b47b46b05a3e74566",
        ...
```

As you can see, the session details are identical, but a new cache file is
created each time.

**Environment**:
- FreeRADIUS version: 3.2.6
- EAP-TLS with TLS 1.2
- OS: Debian
- TLS cache location: `/var/log/freeradius/tlscache/`

Why is FreeRADIUS not reusing the cached session and instead creating new
cached session files for every connection attempt? Is there a configuration
issue or a potential bug that might be causing this?
Thanks for any tips!

More information about the Freeradius-Users mailing list