TLS Cache
Rodrigo Prieto
rodrigoprieto2019 at gmail.com
Sat Jul 19 11:05:03 UTC 2025
Hello, I'm currently working on configuring the TLS cache and noticed that,
upon reconnection, the client rewrites both files (.asn1 and .vps) in the
configured directory. From what I understand, it should reuse the
information stored in those files to avoid reestablishing the TLS
connection from scratch.
Alan, I promise I’ve read the comments in the configuration files, but I’m
still struggling to fully understand how it works. I’d really appreciate it
if you could help clarify this for me.
root at loli-pc:/var/log/freeradius/tlscache# ll
total 24K
drwxr-xr-x 2 freerad freerad 4,0K jul 19 07:54 .
drwxr-x--- 4 freerad freerad 4,0K jul 19 06:03 ..
-rw------- 1 freerad freerad 1,2K jul 19 07:54
35b6e644d6e9796809a07643ceee2542bcf311ef233ba29f8cec94d87d26e36f.asn1
-rw-r--r-- 1 freerad freerad 1,5K jul 19 07:54
35b6e644d6e9796809a07643ceee2542bcf311ef233ba29f8cec94d87d26e36f.vps
-rw------- 1 freerad freerad 1,2K jul 19 07:54
95c5a5a5c3d3a9d5dfc5055fb9e68097f5f53d64ce5b0fbd0c8a2ffaadba6fc8.asn1
-rw-r--r-- 1 freerad freerad 1,5K jul 19 07:54
95c5a5a5c3d3a9d5dfc5055fb9e68097f5f53d64ce5b0fbd0c8a2ffaadba6fc8.vps
Fisrts connection
8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) authenticate {
(8) eap: Removing EAP session with state 0x08b1afdb0eb6a23f
(8) eap: Previous EAP request found for state 0x08b1afdb0eb6a23f, released
from the list
(8) eap: Peer sent packet with method EAP TLS (13)
(8) eap: Calling submodule eap_tls to process data
(8) eap_tls: (TLS) EAP Got final fragment (110 bytes) total 2642
(8) eap_tls: (TLS) EAP Done initial handshake
(8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server
done
(8) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Certificate
(8) eap_tls: (TLS) TLS - Creating attributes from 2 certificate in chain
(8) eap_tls: TLS-Cert-Serial := "7903974cb1367854b0fb2ee672ff78c68211ba5e"
(8) eap_tls: TLS-Cert-Expiration := "250726070714Z"
(8) eap_tls: TLS-Cert-Valid-Since := "250527070714Z"
(8) eap_tls: TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=admin at example.org/CN=free.loli.local"
(8) eap_tls: TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=admin at example.org/CN=free.loli.local"
(8) eap_tls: TLS-Cert-Common-Name := "free.loli.local"
(8) eap_tls: TLS-Cert-CRL-Distribution-Points += "
http://www.example.org/example_ca.crl"
(8) eap_tls: (TLS) TLS - Creating attributes from 1 certificate in chain
(8) eap_tls: TLS-Client-Cert-Serial := "02"
(8) eap_tls: TLS-Client-Cert-Expiration := "250726070721Z"
(8) eap_tls: TLS-Client-Cert-Valid-Since := "250527070721Z"
(8) eap_tls: TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example
Inc./CN=lolito/emailAddress=userdsdsd at example.org"
(8) eap_tls: TLS-Client-Cert-Issuer :=
"/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=
admin at example.org/CN=free.loli.local"
(8) eap_tls: TLS-Client-Cert-Common-Name := "lolito"
(8) eap_tls: TLS-Client-Cert-CRL-Distribution-Points += "
http://www.example.com/example_ca.crl"
(8) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client
Authentication"
(8) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
"FD:D3:42:C8:4A:F1:0C:65:A5:A3:B6:8E:2A:73:B0:FA:B2:0D:CF:CD"
(8) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"86:BC:40:4A:6E:B2:66:02:81:A5:75:19:DF:93:B8:AD:12:75:75:60"
(8) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
(8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client
certificate
(8) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, ClientKeyExchange
(8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client key
exchange
(8) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, CertificateVerify
(8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read
certificate verify
(8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read change
cipher spec
(8) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Finished
(8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read finished
(8) eap_tls: (TLS) TLS - send TLS 1.2 ChangeCipherSpec
(8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write change
cipher spec
(8) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, Finished
(8) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write finished
(8) eap_tls: Serialising session
95c5a5a5c3d3a9d5dfc5055fb9e68097f5f53d64ce5b0fbd0c8a2ffaadba6fc8, and
storing in cache
(8) eap_tls: WARNING: (TLS) TLS - Wrote session
95c5a5a5c3d3a9d5dfc5055fb9e68097f5f53d64ce5b0fbd0c8a2ffaadba6fc8 to
/var/log/freeradius/tlscache/95c5a5a5c3d3a9d5dfc5055fb9e68097f5f53d64ce5b0fbd0c8a2ffaadba6fc8.asn1
(1175 bytes)
(8) eap_tls: (TLS) TLS - Handshake state - SSL negotiation finished
successfully
(8) eap_tls: (TLS) TLS - Connection Established
(8) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) eap_tls: TLS-Session-Version = "TLS 1.2"
(8) eap: Sending EAP Request (code 1) ID 8 length 61
(8) eap: EAP session adding &reply:State = 0x08b1afdb0fb9a23f
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) session-state: Saving cached attributes
(8) Framed-MTU = 994
(8) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake,
ClientHello"
(8) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHello"
(8) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Certificate"
(8) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerKeyExchange"
(8) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
CertificateRequest"
(8) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
ServerHelloDone"
(8) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
Certificate"
(8) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
ClientKeyExchange"
(8) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
CertificateVerify"
(8) TLS-Session-Information = "(TLS) TLS - recv TLS 1.2 Handshake,
Finished"
(8) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 ChangeCipherSpec"
(8) TLS-Session-Information = "(TLS) TLS - send TLS 1.2 Handshake,
Finished"
(8) TLS-Cache-Filename =
"/var/log/freeradius/tlscache/95c5a5a5c3d3a9d5dfc5055fb9e68097f5f53d64ce5b0fbd0c8a2ffaadba6fc8.asn1"
(8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(8) TLS-Session-Version = "TLS 1.2"
(8) Sent Access-Challenge Id 94 from 192.168.122.1:1812 to
192.168.122.64:53296 length 119
(8) EAP-Message =
0x0108003d0d8000000033140303000101160303002805edd07841a6a266432a9833cf13cb26374e5900c2967dbef35d48b18a7f8be25844724e2f9a0645
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x08b1afdb0fb9a23fa8fead84ac6fdcc0
(8) Finished request
Second
(17) # Executing group from file /etc/freeradius/sites-enabled/default
(17) authenticate {
(17) eap: Removing EAP session with state 0x4a09d2574c0edf49
(17) eap: Previous EAP request found for state 0x4a09d2574c0edf49, released
from the list
(17) eap: Peer sent packet with method EAP TLS (13)
(17) eap: Calling submodule eap_tls to process data
(17) eap_tls: (TLS) EAP Got final fragment (110 bytes) total 2642
(17) eap_tls: (TLS) EAP Done initial handshake
(17) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server
done
(17) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Certificate
(17) eap_tls: (TLS) TLS - Creating attributes from 2 certificate in chain
(17) eap_tls: TLS-Cert-Serial :=
"7903974cb1367854b0fb2ee672ff78c68211ba5e"
(17) eap_tls: TLS-Cert-Expiration := "250726070714Z"
(17) eap_tls: TLS-Cert-Valid-Since := "250527070714Z"
(17) eap_tls: TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=admin at example.org/CN=free.loli.local"
(17) eap_tls: TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=admin at example.org/CN=free.loli.local"
(17) eap_tls: TLS-Cert-Common-Name := "free.loli.local"
(17) eap_tls: TLS-Cert-CRL-Distribution-Points += "
http://www.example.org/example_ca.crl"
(17) eap_tls: (TLS) TLS - Creating attributes from 1 certificate in chain
(17) eap_tls: TLS-Client-Cert-Serial := "02"
(17) eap_tls: TLS-Client-Cert-Expiration := "250726070721Z"
(17) eap_tls: TLS-Client-Cert-Valid-Since := "250527070721Z"
(17) eap_tls: TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example
Inc./CN=lolito/emailAddress=userdsdsd at example.org"
(17) eap_tls: TLS-Client-Cert-Issuer :=
"/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=
admin at example.org/CN=free.loli.local"
(17) eap_tls: TLS-Client-Cert-Common-Name := "lolito"
(17) eap_tls: TLS-Client-Cert-CRL-Distribution-Points += "
http://www.example.com/example_ca.crl"
(17) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web
Client Authentication"
(17) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
"FD:D3:42:C8:4A:F1:0C:65:A5:A3:B6:8E:2A:73:B0:FA:B2:0D:CF:CD"
(17) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
"86:BC:40:4A:6E:B2:66:02:81:A5:75:19:DF:93:B8:AD:12:75:75:60"
(17) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
"1.3.6.1.5.5.7.3.2"
(17) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client
certificate
(17) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, ClientKeyExchange
(17) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client
key exchange
(17) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, CertificateVerify
(17) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read
certificate verify
(17) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read change
cipher spec
(17) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Finished
(17) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read finished
(17) eap_tls: (TLS) TLS - send TLS 1.2 ChangeCipherSpec
(17) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write change
cipher spec
(17) eap_tls: (TLS) TLS - send TLS 1.2 Handshake, Finished
(17) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write finished
(17) eap_tls: Serialising session
35b6e644d6e9796809a07643ceee2542bcf311ef233ba29f8cec94d87d26e36f, and
storing in cache
(17) eap_tls: WARNING: (TLS) TLS - Wrote session
35b6e644d6e9796809a07643ceee2542bcf311ef233ba29f8cec94d87d26e36f to
/var/log/freeradius/tlscache/35b6e644d6e9796809a07643ceee2542bcf311ef233ba29f8cec94d87d26e36f.asn1
(1175 bytes)
(17) eap_tls: (TLS) TLS - Handshake state - SSL negotiation finished
successfully
(17) eap_tls: (TLS) TLS - Connection Established
(17) eap_tls: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
(17) eap_tls: TLS-Session-Version = "TLS 1.2"
(17) eap: Sending EAP Request (code 1) ID 8 length 61
(17) eap: EAP session adding &reply:State = 0x4a09d2574d01df49
More information about the Freeradius-Users
mailing list